*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Seth Arnold (seth-arnold):
Dear reader,
It came to my attention that when using the network-manager-openvpn
package to connect to a OpenVPN server the password is stored plain text
in the /etc/NetworkManager/system-connections/<Connection NAME> file
under the section:
[vpn-secrets]
cert-pass=******
I consider this a security risk due to the fact that when a system is
compromised, an attacker is able to impersonate the victim by using the
OpenVPN profile together with the private key password.
The system this was tested on:
Description: Ubuntu 18.04.2 LTS
Release: 18.04
Package info:
network-manager-openvpn:
Installed: 1.8.2-1
Candidate: 1.8.2-1
Version table:
* 1.8.2-1 500
500 http://nl.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
100 /var/lib/dpkg/status
I look forward to your response.
Kind regards,
Scott Brugman
** Affects: network-manager-openvpn (Ubuntu)
Importance: Undecided
Status: New
--
Storing plain text private key password on the system (Security Issue)
https://bugs.launchpad.net/bugs/1825474
You received this bug notification because you are a member of Ubuntu Bugs,
which is subscribed to the bug report.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
