[Bug 934261] New: Wireless passwords are easily decoded in some cases
http://bugzilla.opensuse.org/show_bug.cgi?id=934261
Bug ID: 934261
Summary: Wireless passwords are easily decoded in some cases
Classification: openSUSE
Product: openSUSE Distribution
Version: 13.2
Hardware: Other
OS: openSUSE 13.2
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Security
Assignee: security-team@suse.de
Reporter: Greg.Freemyer@gmail.com
QA Contact: qa-bugs@suse.de
Found By: ---
Blocker: ---
I'm testing with LaZagne:
http://www.kitploit.com/2015/02/the-lazagne-project-recover-most-common.html
Or in OBS @ home:gregfreemyer:Tools-for-forensic-boot-cd LaZagne
Running LaZagne as root recovered one network manager stored passwd.
----
Password found !!!
psk:
http://bugzilla.opensuse.org/show_bug.cgi?id=934261
Andreas Stieger
http://bugzilla.opensuse.org/show_bug.cgi?id=934261
Andreas Stieger
http://bugzilla.opensuse.org/show_bug.cgi?id=934261
--- Comment #3 from Greg Freemyer
http://bugzilla.opensuse.org/show_bug.cgi?id=934261
Bernhard Wiedemann
http://bugzilla.opensuse.org/show_bug.cgi?id=934261
Pawel Wieczorkiewicz
Does wicked even have user-WLANs that would need protection? Otherwise, this could be closed as INVALID.
Wireless password are generally protected at wickedd daemon. See the PR: https://github.com/openSUSE/wicked/pull/225. However, when wickedd-nanny is used, the passwords kept there (either in the config XML structure of workers config node, policy XML structure on registered policy list) could be definitely protected better. Further the logging mechanism of nanny could be checked to avoid dumping full configs/policies into logs. This bug could be used to track this work. However currently there is no user configuration allowed at the wicked. And user access is restricted directly from the dbus policy config files and wicked USERCONTROL= variable check as well. When this is changed we will add support for some existing secret vault like mentioned above. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com