NetworkManager does not support AES-encrypted private keys for WPA 802.1x authentication
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | NetworkManager |
Confirmed
|
Wishlist
|
||
| | network-manager (Ubuntu) |
Medium
|
Unassigned | ||
| | Bionic |
Medium
|
Unassigned | ||
Bug Description
* Impact
Selecting AES-{192,256}-CBC keys to connect isn't working
* Test case
1. Start with a working (cleartext or DES-3) private key/cert for a network. Set up a connection and verify that everything works.
2. Re-encrypt the key with AES-256 with this command: "openssl rsa -in working-key.pem -out aes-key.pem -aes256" (the output should have a line starting with "DEK-Info: AES-256-CBC,")
3. Delete the settings for the test network and attempt to reconnect using the new key.
That should work
* Regression potential
That's new code for an extra type of keys, it shouldn't impact existing options
--------------
NetworkManager does not appear to support private keys encrypted with AES. At the very least, it will not validate such a key in nm-util when setting up a WPA 802.1x TLS wifi connection.
CVE References
| Changed in network-manager: | |
| importance: | Unknown → Medium |
| status: | Unknown → New |
| Tony Espy (awe) wrote : | #1 |
Walter, could you please add some more details ( Ubuntu release, NM version, ... )?
| Changed in network-manager (Ubuntu): | |
| status: | New → Incomplete |
| Walter Mundt (waltermundt) wrote : | #2 |
Ubuntu Release: 11.10
network-manager version: 0.9.1.90-0ubuntu5.1
network-
Anything else I should add?
|
|
#17 |
Specific version information, as requested on the Ubuntu bug at https:/
Ubuntu Release: 11.10
network-manager version: 0.9.1.90-0ubuntu5.1
network-
FWIW, based on my cursory examination of the code, the issue does not appear to be introduced by any Ubuntu packages.
This may be classifiable as "enhancement" or "wishlist" depending on whether feature parity with openssl is part of the "current feature set" of the application. Based on my searches today, there's no common standard for specifying anything more elaborate than a DES cipher in the DEK-Info header of a PEM file.
Still, it would be nice to at least have some kind of error message about the key format being unsupported instead of this case just getting treated as if the key passphrase is always incorrect by the UI.
| Tony Espy (awe) wrote : | #3 |
No I think that's OK for now...thanks!
| Changed in network-manager (Ubuntu): | |
| status: | Incomplete → New |
I think we can already mark this as Confirmed. There are some variations of encrypted private keys that fail to be properly parsed to recognize their type by NetworkManager, there's at least one other bug about this, and it's reproducible on Precise.
| Changed in network-manager (Ubuntu): | |
| status: | New → Confirmed |
| importance: | Undecided → Medium |
| Changed in network-manager: | |
| importance: | Medium → Wishlist |
| status: | New → Confirmed |
| Sebastien Bacher (seb128) wrote : | #5 |
Those keys are handled since 1.10.10 and Ubuntu 18.10
https:/
That update is being SRUed to bionic
| Changed in network-manager (Ubuntu): | |
| status: | Confirmed → Fix Released |
| description: | updated |
Hello Walter, or anyone else affected,
Accepted network-manager into bionic-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
| Changed in network-manager (Ubuntu Bionic): | |
| status: | New → Fix Committed |
| tags: | added: verification-needed verification-needed-bionic |
| Olivier Tilloy (osomon) wrote : | #7 |
Please test and share your feedback on this new version here, but refrain from changing the verification-
| Changed in network-manager (Ubuntu Bionic): | |
| importance: | Undecided → Medium |
The fix for this bug has been awaiting testing feedback in the -proposed repository for bionic for more than 90 days. Please test this fix and update the bug appropriately with the results. In the event that the fix for this bug is still not verified 15 days from now, the package will be removed from the -proposed repository.
| tags: | added: removal-candidate |
| Till Kamppeter (till-kamppeter) wrote : | #9 |
The SRU bug 1809132 has the same proposed package as this one and it got marked verified after three months without complaints and also after some testing by me and in agreement with Ken VanDine, Will Cooke, Olivier Tilloy.
So at least the new network-manager version should not cause any regressions.
So I mark this bug as verified, too and remove the removal-candidate tag.
Feel free to mark this bug as duplicate of bug 1809132 or as Invalid, but please DO NOT remove the network-manager 1.10.14-0ubuntu1 package as it is already a verified SRU for bug 1809132.
| tags: |
added: verification-done verification-done-bionic removed: removal-candidate verification-needed verification-needed-bionic |
| Till Kamppeter (till-kamppeter) wrote : | #10 |
By the way, if there is one SRU package to fix several separately reported bugs, each of these bugs should link to the others, so that a single bug cannot cause the removal of the SRU even if it gets verified in the other bugs. Or the SRU package needs one "master bug" where the verification gets handled.
Hello Walter, or anyone else affected,
Accepted network-manager into bionic-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
| tags: |
added: verification-needed verification-needed-bionic removed: verification-done verification-done-bionic |
| Till Kamppeter (till-kamppeter) wrote : | #12 |
Resetting verification status to verification-done as the re-upload is a trivial fix of the autopkg test which does not change anything in the functionality of the package itself.
| tags: |
added: verification-done verification-done-bionic removed: verification-needed verification-needed-bionic |
| Launchpad Janitor (janitor) wrote : | #13 |
This bug was fixed in the package network-manager - 1.10.14-0ubuntu2
---------------
network-manager (1.10.14-0ubuntu2) bionic; urgency=medium
[ Till Kamppeter ]
* debian/tests/nm: Add gi.require_
and NMClient to avoid stderr output which fails the test.
[ Iain Lane ]
* debian/
too.
network-manager (1.10.14-0ubuntu1) bionic; urgency=medium
* New stable version (LP: #1809132), including:
- Support private keys encrypted with AES-{192,256}-CBC in libnm
(LP: #942856)
- Fix leak of DNS queries to local name servers when connecting to a
full-tunnel VPN (CVE-2018-1000135) (LP: #1754671)
* Dropped patch applied upstream:
- debian/
- debian/
* Refreshed patches:
- debian/
- debian/
- debian/
- debian/
- debian/
-- Till Kamppeter <email address hidden> Fri, 10 May 2019 13:34:00 +0200
| Changed in network-manager (Ubuntu Bionic): | |
| status: | Fix Committed → Fix Released |
The verification of the Stable Release Update for network-manager has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
| Steve Langasek (vorlon) wrote : | #15 |
| Changed in network-manager (Ubuntu Bionic): | |
| status: | Fix Released → In Progress |
| tags: |
added: verification-failed verification-failed-bionic removed: verification-done verification-done-bionic |
| Changed in network-manager (Ubuntu Bionic): | |
| assignee: | nobody → Till Kamppeter (till-kamppeter) |
| Changed in network-manager: | |
| importance: | Wishlist → Unknown |
| status: | Confirmed → Unknown |
| Changed in network-manager: | |
| importance: | Unknown → Wishlist |
| status: | Unknown → Confirmed |
The version of network-manager in the proposed pocket of Bionic that was purported to fix this bug report has been removed because one or more bugs that were to be fixed by the upload have failed verification and been in this state for more than 10 days.
| Changed in network-manager (Ubuntu Bionic): | |
| assignee: | Till Kamppeter (till-kamppeter) → nobody |
NetworkManager does not appear to support private keys encrypted with AES. At the very least, it will not validate such a key in nm-util when setting up a WPA 802.1x TLS wifi connection.
To test via nm-applet:
1. Start with a working (cleartext or DES-3) private key/cert for a network. Set up a connection and verify that everything works.
2. Re-encrypt the key with AES-256 with this command: "openssl rsa -in working-key.pem -out aes-key.pem -aes256" (the output should have a line starting with "DEK-Info: AES-256-CBC,")
3. Delete the settings for the test network and attempt to reconnect using the new key. Even with the correct passphrase, the "Connect" button will remain disabled; debugging output will show that nm-util is failing to validate the private key.
Workaround for anyone running into this issue: Re-encrypt your key with DES-3. The incantation is "openssl rsa -in aes-key.pem -out working-key.pem -des3".