Storing plain text private key password on the system (Security Issue)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
network-manager-openvpn (Ubuntu) |
Confirmed
|
Low
|
Unassigned |
Bug Description
Dear reader,
It came to my attention that when using the network-
[vpn-secrets]
cert-pass=******
I consider this a security risk due to the fact that when a system is compromised, an attacker is able to impersonate the victim by using the OpenVPN profile together with the private key password.
The system this was tested on:
Description: Ubuntu 18.04.2 LTS
Release: 18.04
Package info:
network-
Installed: 1.8.2-1
Candidate: 1.8.2-1
Version table:
* 1.8.2-1 500
500 http://
100 /var/lib/
I look forward to your response.
Kind regards,
Scott Brugman
information type: | Private Security → Public Security |
Changed in network-manager-openvpn (Ubuntu): | |
status: | New → Confirmed |
That's just the nature of storing secrets for later use. The only way to store a key in an encrypted form would require the user to then supply a decryption key, probably in the form of a password that would then be handed to a key derivation function. That only slightly moves the goalposts.
I'd expect that you should be able to delete that line or that section of the file to then be prompted for the password when establishing a connection; if so, that's probably the direction to take.
Thanks