NetworkManager does not support AES-encrypted private keys for WPA 802.1x authentication

Bug #942856 reported by Walter Mundt on 2012-02-28
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
NetworkManager
Confirmed
Wishlist
network-manager (Ubuntu)
Medium
Unassigned
Bionic
Medium
Unassigned

Bug Description

* Impact

Selecting AES-{192,256}-CBC keys to connect isn't working

* Test case

1. Start with a working (cleartext or DES-3) private key/cert for a network. Set up a connection and verify that everything works.
2. Re-encrypt the key with AES-256 with this command: "openssl rsa -in working-key.pem -out aes-key.pem -aes256" (the output should have a line starting with "DEK-Info: AES-256-CBC,")
3. Delete the settings for the test network and attempt to reconnect using the new key.

That should work

* Regression potential

That's new code for an extra type of keys, it shouldn't impact existing options

--------------

NetworkManager does not appear to support private keys encrypted with AES. At the very least, it will not validate such a key in nm-util when setting up a WPA 802.1x TLS wifi connection.

CVE References

NetworkManager does not appear to support private keys encrypted with AES. At the very least, it will not validate such a key in nm-util when setting up a WPA 802.1x TLS wifi connection.

To test via nm-applet:

1. Start with a working (cleartext or DES-3) private key/cert for a network. Set up a connection and verify that everything works.
2. Re-encrypt the key with AES-256 with this command: "openssl rsa -in working-key.pem -out aes-key.pem -aes256" (the output should have a line starting with "DEK-Info: AES-256-CBC,")
3. Delete the settings for the test network and attempt to reconnect using the new key. Even with the correct passphrase, the "Connect" button will remain disabled; debugging output will show that nm-util is failing to validate the private key.

Workaround for anyone running into this issue: Re-encrypt your key with DES-3. The incantation is "openssl rsa -in aes-key.pem -out working-key.pem -des3".

Changed in network-manager:
importance: Unknown → Medium
status: Unknown → New
Tony Espy (awe) wrote :

Walter, could you please add some more details ( Ubuntu release, NM version, ... )?

Changed in network-manager (Ubuntu):
status: New → Incomplete
Walter Mundt (waltermundt) wrote :

Ubuntu Release: 11.10
network-manager version: 0.9.1.90-0ubuntu5.1
network-manager-gnome version: 0.9.1.90-0ubuntu6

Anything else I should add?

Specific version information, as requested on the Ubuntu bug at https://bugs.launchpad.net/network-manager/+bug/942856 and added here in case it's useful upstream:

Ubuntu Release: 11.10
network-manager version: 0.9.1.90-0ubuntu5.1
network-manager-gnome version: 0.9.1.90-0ubuntu6

FWIW, based on my cursory examination of the code, the issue does not appear to be introduced by any Ubuntu packages.

This may be classifiable as "enhancement" or "wishlist" depending on whether feature parity with openssl is part of the "current feature set" of the application. Based on my searches today, there's no common standard for specifying anything more elaborate than a DES cipher in the DEK-Info header of a PEM file.

Still, it would be nice to at least have some kind of error message about the key format being unsupported instead of this case just getting treated as if the key passphrase is always incorrect by the UI.

Tony Espy (awe) wrote :

No I think that's OK for now...thanks!

Changed in network-manager (Ubuntu):
status: Incomplete → New

I think we can already mark this as Confirmed. There are some variations of encrypted private keys that fail to be properly parsed to recognize their type by NetworkManager, there's at least one other bug about this, and it's reproducible on Precise.

Changed in network-manager (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Changed in network-manager:
importance: Medium → Wishlist
status: New → Confirmed
Sebastien Bacher (seb128) wrote :

Those keys are handled since 1.10.10 and Ubuntu 18.10
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/commit/9b46af1a

That update is being SRUed to bionic

Changed in network-manager (Ubuntu):
status: Confirmed → Fix Released
description: updated

Hello Walter, or anyone else affected,

Accepted network-manager into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/network-manager/1.10.14-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in network-manager (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-bionic
Olivier Tilloy (osomon) wrote :

Please test and share your feedback on this new version here, but refrain from changing the verification-needed-bionic tag for now. This new version includes many changes and we want to give it an extended testing period to ensure no regressions sneak in, before it is published to bionic-updates. Thanks!

Changed in network-manager (Ubuntu Bionic):
importance: Undecided → Medium

The fix for this bug has been awaiting testing feedback in the -proposed repository for bionic for more than 90 days. Please test this fix and update the bug appropriately with the results. In the event that the fix for this bug is still not verified 15 days from now, the package will be removed from the -proposed repository.

tags: added: removal-candidate
Till Kamppeter (till-kamppeter) wrote :

The SRU bug 1809132 has the same proposed package as this one and it got marked verified after three months without complaints and also after some testing by me and in agreement with Ken VanDine, Will Cooke, Olivier Tilloy.

So at least the new network-manager version should not cause any regressions.

So I mark this bug as verified, too and remove the removal-candidate tag.

Feel free to mark this bug as duplicate of bug 1809132 or as Invalid, but please DO NOT remove the network-manager 1.10.14-0ubuntu1 package as it is already a verified SRU for bug 1809132.

tags: added: verification-done verification-done-bionic
removed: removal-candidate verification-needed verification-needed-bionic

By the way, if there is one SRU package to fix several separately reported bugs, each of these bugs should link to the others, so that a single bug cannot cause the removal of the SRU even if it gets verified in the other bugs. Or the SRU package needs one "master bug" where the verification gets handled.

Hello Walter, or anyone else affected,

Accepted network-manager into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/network-manager/1.10.14-0ubuntu2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed verification-needed-bionic
removed: verification-done verification-done-bionic

Resetting verification status to verification-done as the re-upload is a trivial fix of the autopkg test which does not change anything in the functionality of the package itself.

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package network-manager - 1.10.14-0ubuntu2

---------------
network-manager (1.10.14-0ubuntu2) bionic; urgency=medium

  [ Till Kamppeter ]
  * debian/tests/nm: Add gi.require_version() calls for NetworkManager
    and NMClient to avoid stderr output which fails the test.

  [ Iain Lane ]
  * debian/tests/control: The nm tests need dnsmasq-base and isc-dhcp-client
    too.

network-manager (1.10.14-0ubuntu1) bionic; urgency=medium

  * New stable version (LP: #1809132), including:
    - Support private keys encrypted with AES-{192,256}-CBC in libnm
      (LP: #942856)
    - Fix leak of DNS queries to local name servers when connecting to a
      full-tunnel VPN (CVE-2018-1000135) (LP: #1754671)
  * Dropped patch applied upstream:
    - debian/patches/CVE-2018-15688.patch
    - debian/patches/e91f1a7d2a6b8400b6b331d5b72287dcb5164a39.patch
  * Refreshed patches:
    - debian/patches/Don-t-make-NetworkManager-D-Bus-activatable.patch
    - debian/patches/Force-online-state-with-unmanaged-devices.patch
    - debian/patches/Read-system-connections-from-run.patch
    - debian/patches/Update-dnsmasq-parameters.patch
    - debian/patches/libnm-register-empty-NMClient-and-NetworkManager-when-loa.patch

 -- Till Kamppeter <email address hidden> Fri, 10 May 2019 13:34:00 +0200

Changed in network-manager (Ubuntu Bionic):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for network-manager has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Steve Langasek (vorlon) wrote :

Due to the SRU regressions reported in LP: #1829838 and LP: #1829566, I have reverted this SRU for the moment, restoring network-manager 1.10.6-2ubuntu1.1 to bionic-updates. I am marking this bug verification-failed pending resolution of the reported regressions.

Changed in network-manager (Ubuntu Bionic):
status: Fix Released → In Progress
tags: added: verification-failed verification-failed-bionic
removed: verification-done verification-done-bionic
Changed in network-manager (Ubuntu Bionic):
assignee: nobody → Till Kamppeter (till-kamppeter)
Changed in network-manager:
importance: Wishlist → Unknown
status: Confirmed → Unknown
Changed in network-manager:
importance: Unknown → Wishlist
status: Unknown → Confirmed

The version of network-manager in the proposed pocket of Bionic that was purported to fix this bug report has been removed because one or more bugs that were to be fixed by the upload have failed verification and been in this state for more than 10 days.

Changed in network-manager (Ubuntu Bionic):
assignee: Till Kamppeter (till-kamppeter) → nobody
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.