oss-sec mailing list archives
Re: CVE request(?): hostapd: improper file permissions of hostapd's config leaks credentials
From: Matthias Weckbecker <mweckbecker () suse de>
Date: Wed, 23 May 2012 16:01:45 +0200
On Wednesday 23 May 2012 11:15:48 Jan Lieskovsky wrote:
Hi Matthias,
Hi Jan,
thank you for your request. On 05/23/2012 10:21 AM, Matthias Weckbecker wrote:Hi Kurt, Hi vendors, not too critical in my opinion, but I think still worth to be at least mentioned briefly as other distros such as Fedora 16 were affected too: https://bugzilla.novell.com/show_bug.cgi?id=740964 I'm not sure whether this issue should get a CVE,We have previously checked this with John W.Linville (Cc-ed on this post too) with reply from him being as inlined below:
OK, thank you for your explanation. Although I don't agree with you (as it's like shipping /etc/shadow world-readable and saying it has to be adjusted to reflect the administrator's needs), I can live with no CVE being assigned for this. I wouldn't say that this is a critical issue anyway. Thanks, Matthias
---<inline>--- Jan, I think you understand it all correctly. Thanks, John On Thu, 2012-05-17 at 12:44 +0200, Jan Lieskovsky wrote: > Hello John, > > this is due the following Novell bug: > [1] https://bugzilla.novell.com/show_bug.cgi?id=740964 > > I have checked that Fedora hostapd versions, have permissions like > (thus insecure too): > > # ls -l /etc/hostapd/hostapd.conf > -rw-r--r--. 1 root root 722 Feb 9 2011 /etc/hostapd/hostapd.conf > > I am taking the default content of /etc/hostapd/hostapd.conf > as an example configuration (thus something which should the > administrator of the system to update to reflect their needs > to get hostapd for their wireless network configuration to > work properly. > > Thus as such I would say this is just issue of proper configuration > (in the moment of editing the configuration file the administrator > should update the permissions on the config file too to ensure WPA > password wouldn't leak, right?), than a real security flaw. > > Do you agree with this view or should I request CVE identifier > for this issue and we should get hostapd packages in Fedora updated > to correct this? > > Thank you && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Response Team > > P.S.: > > For the other part of Novell bug (permissions for hostapd.wpa_psk > in Fedora versions there doesn't seem to be other hostapd.wpa_psk > than just: > > /usr/share/doc/hostapd-0.7.3/hostapd.wpa_psk > > which I think is there for documentation / config sample purposes). > Thus I would not consider this second part as a security issue.
-- Matthias Weckbecker, Junior Security Engineer, SUSE Security Team SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg, Germany Tel: +49-911-74053-0; http://suse.com/ SUSE LINUX Products GmbH, GF: Jeff Hawn, HRB 16746 (AG Nuernberg)
Current thread:
- CVE request(?): hostapd: improper file permissions of hostapd's config leaks credentials Matthias Weckbecker (May 23)
- Re: CVE request(?): hostapd: improper file permissions of hostapd's config leaks credentials Jan Lieskovsky (May 23)
- Re: CVE request(?): hostapd: improper file permissions of hostapd's config leaks credentials Matthias Weckbecker (May 23)
- Re: CVE request(?): hostapd: improper file permissions of hostapd's config leaks credentials Kurt Seifried (May 23)
- Re: CVE request(?): hostapd: improper file permissions of hostapd's config leaks credentials Jan Lieskovsky (May 23)