GNOME Bugzilla – Bug 621484
802.1X Configurability Issues with MITM Consequences
Last modified: 2011-07-19 21:37:38 UTC
I would like to draw attention to an intrinsic security flaw with NetworkManager's 802.1X handling and configurability. Where an EAP method is used that relies on a public key infrastructure, such as PEAP, it is absolutely essential that a chain of trust be established between the supplicant and the authentication server in order to guarantee the privacy of the connection between the two endpoints before authentication is attempted. To verify a digital certificate, a chain of trust must be established. The trust anchor for a digital certificate is the root certificate authority (CA). Without first establishing a chain of trust, any PKI based encryption becomes meaningless as it becomes intrinsically vulnerable to MITM attacks. These are a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. For example, where the commonly deployed PEAP-MS-CHAP v2 is used in an organisation, it is essential to protect the inner EAP type as it is not cryptographically secure alone.[1][2] NetworkManager will prompt where the root certificate authority has not been constrained but has no ability for constraints on permissible server FQDNs to be defined. It also allows easy repeated dismissal with a 'Don't warn me again' for the CA constraint with a tickbox. This should not be so easily configurable, if at all. The ‘Achilles Heel’ here lies in the fact that: 1) Without constraining the server name, the supplicant trusts all and any server names from permitted CAs. 2) Without constraining the root certification authority, the supplicant trusts permitted server names from any CA. 3) Without constraining either (the default), the supplicant trusts all and any server names from any CA. Where an organisation has constrained the acceptable roots and a public certification authority is being used, an outside attacker can merely purchase a certificate of any name from the same authority and use it for MITM purposes. Where an organisation has constrained the acceptable roots and a private, self-signed certification authority is being used, an inside attacker can use any certificate from that root that they have access to for MITM purposes. Where the chain of trust has not been validated, the integrity of PKI based EAP methods is none existent. Furthermore, because it easily gives the illusion of security, it can be considered in many cases to be more harmful than good. It is absolutely essential before attempting authentication via 802.1X, to: 1) Require the acceptable CAs to be defined. 2) Require the acceptable server FQDNs to be defined. (It's arguable that this should be configurable on a CA basis.) Appropriate warnings should be given where the chain of trust cannot be established and specific instruction should be required to override. It should not succeed silently, as happens presently, where the supplicant has not been properly configured. Users should be given appropriate feedback about the risks that are implicit where a chain of trust has not been established by the supplicant before any private information is passed. This is exactly the same way that Web browsers presently operate. [1] http://www.schneier.com/paper-pptpv2.pdf - Cryptanalysis of Microsoft’s PPTP Authentication Extensions (MS-CHAPv2) [2] http://penguin-breeder.org/pptp/download/pptp_mschapv2.pdf - Exploiting known security holes in Microsoft’s PPTP Authentication Extensions (MS-CHAPv2)
While this analysis is correct, there was a reason we added the 'nag' dialog to allow users to ignore the CA certificate in the first place a few years ago. Perhaps it's useful now to revisit those reasons... The code for allowing the CA certificate to be ignored was added on: commit 353902fdf2dc7ef8b0214872d4ef5075d860bcbc Date: Wed Nov 7 20:16:02 2007 +0000
There's also still an open enhancement request to allow the "subject match" for RADIUS server certificates, which helps, but does not fully secure access to the network.
The concern is that with many more users deploying WPA-Enterprise actually outside of the Enterprise, they have the impression that they're getting increased security over the PSK secured WPA-Personal, but they often aren't while supplicants remain in such poor shape from a security standpoint. They make it hard, if not impossible, to deploy securely and do not do it by default. That's wrong. In order to abstract the relative complexity of RADIUS, out-sourced RADIUS services such as http://www.nowiressecurity.com/service.htm are appearing. Where these are used with roaming, unmanaged, ad-hoc clients (such as in a cafe), it is presently impossible to deploy securely. It's becoming a legacy that will be with us to haunt for years to come until the design deficiencies are corrected across the board in supplicants and such those corrections filter around the ecosystem. Even in a managed environment, supplicants assume awareness and infallibility on behalf of network system administrators. There is presently no default to a safe configuration that requires the chain of trust to be established and an explicit override to do anything different. --- Also, as a general design consideration for all supplicants, the handling for LAN connections should be to allow 'profiles' to be created based on the subject match. (There is no SSID for such profiles.) For roaming LAN users, this prevents information disclosure where a username and password based inner-authentication mechanism is being used.
Bug 341323 - [ENH] Verify subject of remote certificate https://bugzilla.gnome.org/show_bug.cgi?id=341323
I think I'll fold this bug into the enhancement request for cert subject match. That's basically the fix for this bug too; if admins don't want to allow the user to override the CA cert checking, the connection can be locked down by not giving the user the ability to change network connections. *** This bug has been marked as a duplicate of bug 341323 ***