#VU34363 Improper Authentication in Fedora - CVE-2020-10754

Cybersecurity Help s.r.o.

Published: 2020-06-08 | Updated: 2020-08-08

Vulnerability identifier: #VU34363

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-10754

CWE-ID: CWE-287

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Fedora
Operating systems & Components / Operating system

Vendor: Fedoraproject

Description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

It was found that nmcli, a command line interface to NetworkManager did not honour 802-1x.ca-path and 802-1x.phase2-ca-path settings, when creating a new profile. When a user connects to a network using this profile, the authentication does not happen and the connection is made insecurely.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Fedora: 31

External links
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10754
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44FTVXWKDYIAMOOP2PZMUY3D2QNWAVBZ/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Red Hat Enterprise Linux 7 update for NetworkManager

Red Hat Enterprise Linux 8 update for NetworkManager

Improper Authentication in Fedoraproject Fedora

Fedora 32 update for NetworkManager

Fedora 31 update for NetworkManager