[pkg-wicd-maint] Bug#902421: wicd-daemon: silently keeps and uses obsolete, possibly insecure config in /etc/wicd/wireless-settings.conf

Tue Jun 26 15:38:05 BST 2018

Control: severity -1 normal
Control: tag -1 + moreinfo

Hi Vincent,

Vincent Lefevre wrote:
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> I'm using eduroam, and instead of keeping only one config associated
> with it (e.g. [essid:eduroam]), wicd creates many of them in
> /etc/wicd/wireless-settings.conf (based on the bssid instead of the
> essid,

Yes, this is by design.

Are you aware that you need to explicitly configure if a configuration
needs to be solely based on the ESSID? It's called "use these settings
for all wifis with this ESSID" or similar.

And IMNSHO it's a security feature and not a bug that wicd does use
only the BSSID by default. That way credentials can't be leaked to to
rogue access points which share the same ESSID (which is easy to do).

> even though wicd seems to ignore the bssid when searching for
> a matching config),

If you set that flag, of course it does.

> and when one updates the eduroam config, some old configs are not
> updated, and wicd can randomly use them later.

In which case did this happen? With an ESSID where you had the "use
these settings for all wifis with this ESSID" flag set or not? In the
latter case it should update all of them (or only keep one and remove
the remaining ones with the same ESSID), in the former it shouldn't.
(→ moreinfo)

Downgrading to the default severity at least until the specific
settings under which this happened, are clarified.

> I noticed that after a password update: I got a connection failure
> due to an old config with an old password. But there's the same issue
> with the certificate (ca_cert field). In my case, some old configs
> that became insecure after a security hole was found in the protocol
> were still used by wicd, which could yield a leak of my password.

Am I right that you say that it's not an outdated password which might
be leaked, but the current password which is sent in an insecure way,
like WEP instead of WPA? (But then I wonder: Why is the WPA password
sent via WEP? IIRC WICD stores them per encryption method. And I don't
think that sending no more valid passwords is a security threat that
validates RC severity.)

Once again: This depends a lot on your settings (see above) and
depending on your settings. It should not happen with the setting "use
these settings for all wifis with this ESSID", but it is expected to
happen (and a security feature) if that flag is not set.

> Note: The UI just presents the essid, so that the user will generally
> not know what's going on.

Which UI? WICD has several UIs (Gtk, Curses, CLI) and you filed that
bug report against wicd-daemon. (→ moreinfo, too)

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe at debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE