** Changed in: network-manager-openvpn (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager-openvpn in Ubuntu.
https://bugs.launchpad.net/bugs/1825474
Title:
Storing plain text private key password on the system (Security Issue)
Status in network-manager-openvpn package in Ubuntu:
Confirmed
Bug description:
Dear reader,
It came to my attention that when using the network-manager-openvpn
package to connect to a OpenVPN server the password is stored plain
text in the /etc/NetworkManager/system-connections/<Connection NAME>
file under the section:
[vpn-secrets]
cert-pass=******
I consider this a security risk due to the fact that when a system is
compromised, an attacker is able to impersonate the victim by using
the OpenVPN profile together with the private key password.
The system this was tested on:
Description: Ubuntu 18.04.2 LTS
Release: 18.04
Package info:
network-manager-openvpn:
Installed: 1.8.2-1
Candidate: 1.8.2-1
Version table:
* 1.8.2-1 500
500 http://nl.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
100 /var/lib/dpkg/status
I look forward to your response.
Kind regards,
Scott Brugman
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/1825474/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
