[pkg-wicd-maint] Bug#902421: wicd-daemon: silently keeps and uses obsolete, possibly insecure config in /etc/wicd/wireless-settings.conf

Vincent Lefevre vincent at vinc17.net
Wed Jun 27 03:58:30 BST 2018 

On 2018-06-26 23:23:16 +0200, Axel Beckert wrote:
> > Another issue is that here, it was a *new* BSSID (well, I assume
> > because it is a place where I had never came before).

Actually, I think that the issue occurs only in that case.
Once a config with the BSSID has been created, the behavior
is reproducible with the same BSSID.

FYI, in the wicd logs:

[...]
2018/06/25 09:21:53 :: Putting interface up...
2018/06/25 09:21:53 :: ifconfig wlp61s0 up
2018/06/25 09:21:55 :: enctype is peap-eduroam
2018/06/25 09:21:55 :: Attempting to authenticate...
2018/06/25 09:21:55 :: ['wpa_supplicant', '-B', '-i', 'wlp61s0', '-c', '/var/lib/wicd/configurations/04bd882b5811', '-Dwext']
2018/06/25 09:21:55 :: ['iwconfig', 'wlp61s0', 'essid', '--', 'eduroam']
2018/06/25 09:21:55 :: iwconfig wlp61s0 channel 36
2018/06/25 09:21:55 :: iwconfig wlp61s0 ap 04:BD:88:2B:58:11
2018/06/25 09:21:55 :: WPA_CLI RESULT IS DISCONNECTED
2018/06/25 09:21:56 :: WPA_CLI RESULT IS ASSOCIATED
2018/06/25 09:21:57 :: WPA_CLI RESULT IS ASSOCIATED
2018/06/25 09:21:58 :: WPA_CLI RESULT IS ASSOCIATED
2018/06/25 09:21:59 :: WPA_CLI RESULT IS ASSOCIATED
2018/06/25 09:22:00 :: WPA_CLI RESULT IS ASSOCIATED
2018/06/25 09:22:01 :: WPA_CLI RESULT IS ASSOCIATED
2018/06/25 09:22:02 :: WPA_CLI RESULT IS ASSOCIATED
2018/06/25 09:22:03 :: WPA_CLI RESULT IS ASSOCIATED
2018/06/25 09:22:04 :: WPA_CLI RESULT IS SCANNING
2018/06/25 09:22:05 :: WPA_CLI RESULT IS SCANNING
2018/06/25 09:22:06 :: WPA_CLI RESULT IS SCANNING
2018/06/25 09:22:07 :: WPA_CLI RESULT IS SCANNING
2018/06/25 09:22:08 :: WPA_CLI RESULT IS SCANNING
2018/06/25 09:22:09 :: WPA_CLI RESULT IS SCANNING
2018/06/25 09:22:10 :: WPA_CLI RESULT IS SCANNING
2018/06/25 09:22:11 :: WPA_CLI RESULT IS SCANNING
2018/06/25 09:22:12 :: WPA_CLI RESULT IS SCANNING
2018/06/25 09:22:13 :: WPA_CLI RESULT IS SCANNING
2018/06/25 09:22:14 :: WPA_CLI RESULT IS SCANNING
2018/06/25 09:22:15 :: WPA_CLI RESULT IS SCANNING
2018/06/25 09:22:16 :: WPA_CLI RESULT IS SCANNING
2018/06/25 09:22:17 :: WPA_CLI RESULT IS ASSOCIATED
2018/06/25 09:22:18 :: WPA_CLI RESULT IS ASSOCIATED
2018/06/25 09:22:20 :: WPA_CLI RESULT IS ASSOCIATED
2018/06/25 09:22:21 :: WPA_CLI RESULT IS ASSOCIATED
2018/06/25 09:22:22 :: WPA_CLI RESULT IS ASSOCIATED
2018/06/25 09:22:23 :: WPA_CLI RESULT IS ASSOCIATED
2018/06/25 09:22:24 :: WPA_CLI RESULT IS ASSOCIATED
2018/06/25 09:22:25 :: WPA_CLI RESULT IS ASSOCIATED
2018/06/25 09:22:26 :: WPA_CLI RESULT IS ASSOCIATED
2018/06/25 09:22:27 :: WPA_CLI RESULT IS ASSOCIATED
2018/06/25 09:22:28 :: WPA_CLI RESULT IS ASSOCIATED
2018/06/25 09:22:29 :: WPA_CLI RESULT IS ASSOCIATED
2018/06/25 09:22:30 :: WPA_CLI RESULT IS ASSOCIATED
2018/06/25 09:22:31 :: wpa_supplicant authentication may have failed.
2018/06/25 09:22:31 :: connect result is failed
2018/06/25 09:22:31 :: exiting connection thread
2018/06/25 09:22:31 :: Sending connection attempt result bad_pass
[...]

(This was the first time 04:BD:88:2B:58:11 was seen.)

[...]
2018/06/25 09:22:38 :: enctype is peap-eduroam
2018/06/25 09:22:38 :: Attempting to authenticate...
2018/06/25 09:22:38 :: ['wpa_supplicant', '-B', '-i', 'wlp61s0', '-c', '/var/lib/wicd/configurations/04bd882b5811', '-Dwext']
2018/06/25 09:22:38 :: ['iwconfig', 'wlp61s0', 'essid', '--', 'eduroam']
2018/06/25 09:22:38 :: iwconfig wlp61s0 channel 36
2018/06/25 09:22:38 :: iwconfig wlp61s0 ap 04:BD:88:2B:58:11
2018/06/25 09:22:38 :: WPA_CLI RESULT IS DISCONNECTED
2018/06/25 09:22:39 :: WPA_CLI RESULT IS ASSOCIATED
2018/06/25 09:22:40 :: WPA_CLI RESULT IS ASSOCIATED
2018/06/25 09:22:41 :: WPA_CLI RESULT IS ASSOCIATED
2018/06/25 09:22:42 :: WPA_CLI RESULT IS ASSOCIATED
2018/06/25 09:22:43 :: WPA_CLI RESULT IS ASSOCIATED
2018/06/25 09:22:44 :: WPA_CLI RESULT IS ASSOCIATED
2018/06/25 09:22:45 :: WPA_CLI RESULT IS ASSOCIATED
2018/06/25 09:22:46 :: WPA_CLI RESULT IS SCANNING
2018/06/25 09:22:47 :: WPA_CLI RESULT IS SCANNING
2018/06/25 09:22:48 :: WPA_CLI RESULT IS SCANNING
2018/06/25 09:22:49 :: WPA_CLI RESULT IS SCANNING
2018/06/25 09:22:50 :: WPA_CLI RESULT IS SCANNING
2018/06/25 09:22:51 :: WPA_CLI RESULT IS SCANNING
2018/06/25 09:22:52 :: WPA_CLI RESULT IS SCANNING
2018/06/25 09:22:53 :: WPA_CLI RESULT IS SCANNING
2018/06/25 09:22:54 :: WPA_CLI RESULT IS SCANNING
2018/06/25 09:22:55 :: WPA_CLI RESULT IS SCANNING
2018/06/25 10:20:03 :: wpa_supplicant authentication may have failed.
2018/06/25 10:20:03 :: connect result is failed
2018/06/25 10:20:03 :: exiting connection thread
2018/06/25 10:20:03 :: Sending connection attempt result bad_pass
[...]

and so on with this BSSID. After I had removed all the old settings
from /etc/wicd/wireless-settings.conf, everything was OK.

> That sounds strange. I wonder if that could be triggered, if e.g. two
> different eduroam APs/BSSIDs are ticked with "use these settings
> for all wifis with this ESSID" but have different settings and it is
> e.g. luck which one is used (unless the BSSID fits).

That's possible. That would be the best explanation.

> As far as I remember from some discussions about potential rogue
> access points in general, at least WPA2 Enterprise (like with eduroam)
> uses some challenge/response methods for authentication, so a leaking
> of passwords should not be possible.

This is not what I've heard. A few weeks ago, our lab sent us a
warning that a recent flaw has been discovered. An excerpt from
the e-mail message:

------------------------------------------------------------------------
You **must** set the "CA certificate" field in your Eduroam
configuration, an all your devices (phone, laptop, ...). If you don't do
so, it is quite easy for an attacker to steal your ENS (or Inria) login
and password.
------------------------------------------------------------------------

So, IMHO, this is a critical bug.

I've found the following, which might be related:

  https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations

And also:

  https://community.jisc.ac.uk/library/janet-services-documentation/faqs-eduroam-users

"You should *ALWAYS* validate the server certificate - the option in
the supplicant (be it Windows native, SecureW2, OpenSEA et al) should
always be enabled. Certification is one of the main securing blocks of
EAP, which underpins the eduroam service.

If you don't verify that the RADIUS server (which is handling your
sensitive authentication credentials) is legitimate and not being
spoofed by an unscrupulous person, you are leaving yourself open to
having your credentials stolen. Maintaining the security of your
credentials is one of the requirements of the eduroam usage policy
that you subscribe to as part of using the service - ie. it is
mandatory."

I had always thought that the RADIUS server could be authenticated
automatically (a bit like servers with https) and that in any case
the password was never passed to the server, but apparently this is
not how the protocol works!

-- 
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

More information about the pkg-wicd-maint mailing list