[pkg-wicd-maint] Bug#902421: wicd-daemon: silently keeps and uses obsolete, possibly insecure config in /etc/wicd/wireless-settings.conf

Tue Jun 26 22:23:16 BST 2018

Control: tag -1 - moreinfo
Comtrol: severity -1 important

Hi Vincent,

Vincent Lefevre wrote:
> On 2018-06-26 16:38:05 +0200, Axel Beckert wrote:
> > Are you aware that you need to explicitly configure if a configuration
> > needs to be solely based on the ESSID? It's called "use these settings
> > for all wifis with this ESSID" or similar.
> 
> I have "Use these settings for all networks sharing this essid"
> ticked for eduroam, but it is apparently not honored.

Ok, thanks for that detail.

> > And IMNSHO it's a security feature and not a bug that wicd does use
> > only the BSSID by default. That way credentials can't be leaked to to
> > rogue access points which share the same ESSID (which is easy to do).
> 
> ... unless a certificate is used, which is my case.

Granted.

> Another issue is that here, it was a *new* BSSID (well, I assume
> because it is a place where I had never came before).

That sounds strange. I wonder if that could be triggered, if e.g. two
different eduroam APs/BSSIDs are ticked with "use these settings
for all wifis with this ESSID" but have different settings and it is
e.g. luck which one is used (unless the BSSID fits).

Will eventually test for that corner case.

> > > and when one updates the eduroam config, some old configs are not
> > > updated, and wicd can randomly use them later.
> > 
> > In which case did this happen? With an ESSID where you had the "use
> > these settings for all wifis with this ESSID" flag set or not?
> 
> See above. But I'm not aware if there is a global setting (in any
> case the local setting should have the precedence).

>From what I gather, it's just a per-ESSID setting, but I haven't yet
looked at the code how it is implemented. Will do.

> > Am I right that you say that it's not an outdated password which might
> > be leaked, but the current password which is sent in an insecure way,
> > like WEP instead of WPA?
> 
> There were some old settings with the new password and no
> certificate.

I see.

> This could have leaked. I never use WEP, always WPA2.

As far as I remember from some discussions about potential rogue
access points in general, at least WPA2 Enterprise (like with eduroam)
uses some challenge/response methods for authentication, so a leaking
of passwords should not be possible.

OTOH I know there are tons of ways how a WPA Enterprise setup can be
done (and especially that you might need to modify your eduroam ESSID
settings when moving from one university to another) and I'm
definitely not sure if all of them use challenge/response methods.

Will try to figure out if there's really a chance to leak credentials.
(I still have my doubts, but at least not honouring that "use these
settings for all wifis with this ESSID" flag is at least a not so nice
usability bug, so setting to severity to "important" for now.)

> > Which UI? WICD has several UIs (Gtk, Curses, CLI) and you filed that
> > bug report against wicd-daemon. (→ moreinfo, too)
> 
> Gtk.

Ok. I use mostly wicd-curses which IIRC shows the BSSID. Will have a
look at the Gtk interface with a focus on the BSSID.

Thanks for the additional details!

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe at debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE