http://bugzilla.novell.com/show_bug.cgi?id=564568 http://bugzilla.novell.com/show_bug.cgi?id=564568#c0 Summary: Please implement server name/certificate subject validation in EAPOL authentications (NetworkManager) Classification: openSUSE Product: openSUSE 11.3 Version: Factory Platform: All OS/Version: All Status: NEW Severity: Critical Priority: P5 - None Component: Mobile Devices AssignedTo: mobile-bugs@forge.provo.novell.com ReportedBy: nice@titanic.nyme.hu QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; hu-HU; rv:1.9.1.5) Gecko/20091103 SUSE/3.5.5-1.1.2 Firefox/3.5.5 We, at the hungarian eduroam community, realized, that the lack of this capability in NetworkManager is a VERY SERIOUS threat. In the Eduroam infrastructure it's quite possible that you home radius server's certificate is signed by the same CA as one or some of the numerous radius servers proxying your request, so any of these servers can easily (even accidentally!) open your SSL encrypted TTLS or PEAP tunnel, for example. The problem gets even worse if you don't specify exactly the CA, which signed you certificate, but you trust every CA cert in /etc/ssl/certs (a very common scenario). However, since your home radius server's certificate is transmitted as cleartext in the beginning of the PEAP/TTLS communication, it can be easily sniffed wireshark, and a relatively desperate attacker can purchase his own certificate from you CA. If this attacker deploys his own AP/router/radius server, he can easily read your passwords (in case of TTLS/PAP authentication), or your NTLM password hashes (in case of TTLS/MSCHAPv2 or PEAP/MSCHAPv2). And the sad thing is that this MSCHAPv2 can cracked VERY EASILY by john ( http://www.openwall.com/john/ ). According my experiences it can be cracked five times faster than old Unix crypt password hashes :((( I managed to crack three out of four real-life passords in an hour without advanced dicionaries of specific options. One password (consisting of eight digits) was cracked by simple brute force within an hour! ( http://forums.remote-exploit.org/tutorials-guides/13728-tutorial-cracking-le... ) Upstream here: https://bugzilla.gnome.org/show_bug.cgi?id=341323 Reproducible: Always -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.