oss-sec mailing list archives
Re: CVE request(?): hostapd: improper file permissions of hostapd's config leaks credentials
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Wed, 23 May 2012 11:15:48 +0200
Hi Matthias, thank you for your request. On 05/23/2012 10:21 AM, Matthias Weckbecker wrote:
Hi Kurt, Hi vendors, not too critical in my opinion, but I think still worth to be at least mentioned briefly as other distros such as Fedora 16 were affected too: https://bugzilla.novell.com/show_bug.cgi?id=740964 I'm not sure whether this issue should get a CVE,
We have previously checked this with John W.Linville (Cc-ed on this post too) with reply from him being as inlined below: ---<inline>--- Jan, I think you understand it all correctly. Thanks, John On Thu, 2012-05-17 at 12:44 +0200, Jan Lieskovsky wrote: > Hello John, > > this is due the following Novell bug: > [1] https://bugzilla.novell.com/show_bug.cgi?id=740964 > > I have checked that Fedora hostapd versions, have permissions like > (thus insecure too): > > # ls -l /etc/hostapd/hostapd.conf > -rw-r--r--. 1 root root 722 Feb 9 2011 /etc/hostapd/hostapd.conf > > I am taking the default content of /etc/hostapd/hostapd.conf > as an example configuration (thus something which should the > administrator of the system to update to reflect their needs > to get hostapd for their wireless network configuration to > work properly. > > Thus as such I would say this is just issue of proper configuration > (in the moment of editing the configuration file the administrator > should update the permissions on the config file too to ensure WPA > password wouldn't leak, right?), than a real security flaw. > > Do you agree with this view or should I request CVE identifier > for this issue and we should get hostapd packages in Fedora updated > to correct this? > > Thank you && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Response Team > > P.S.: > > For the other part of Novell bug (permissions for hostapd.wpa_psk > in Fedora versions there doesn't seem to be other hostapd.wpa_psk > than just: > > /usr/share/doc/hostapd-0.7.3/hostapd.wpa_psk > > which I think is there for documentation / config sample purposes). > Thus I would not consider this second part as a security issue. -- John W. Linville The water won't run clean until you get linville () redhat com the pigs out of the creek. ---</inline>--- Thus basically from the above, we wouldn't look at this one as a security flaw, because this is more question of proper configuration, rather than a real security flaw (the administrator needs in any case edit /etc/hostapd/hostapd.conf it to suite their needs / their local wireless configuration before being able to use the hostapd service. And in that moment [when entering sensitive WPA information there], they should also change the permissions of the hostapd configuration it to be more secure / not readable by all local users). Thus maybe something to be explicitly mentioned in the documentation (change permissions of the config file post update), but not a security flaw.
but in the past similar vulnerabilities got a CVE (e.g. CVE-2012-0863).
From http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0863 and mainly from: https://bugs.launchpad.net/ubuntu/+source/mumble/+bug/783405/comments/0 the passwords in this case were stored in plaintext in the database, which is something slightly different. Hope this helps. Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Thanks, Matthias
Current thread:
- CVE request(?): hostapd: improper file permissions of hostapd's config leaks credentials Matthias Weckbecker (May 23)
- Re: CVE request(?): hostapd: improper file permissions of hostapd's config leaks credentials Jan Lieskovsky (May 23)
- Re: CVE request(?): hostapd: improper file permissions of hostapd's config leaks credentials Matthias Weckbecker (May 23)
- Re: CVE request(?): hostapd: improper file permissions of hostapd's config leaks credentials Kurt Seifried (May 23)
- Re: CVE request(?): hostapd: improper file permissions of hostapd's config leaks credentials Jan Lieskovsky (May 23)