CVE-2020-10754
published 2020-06-08CVE-2020-10754: It was found that nmcli, a command line interface to NetworkManager did not honour 802-1x.ca-path and 802-1x.phase2-ca-path settings, when creating a new…
PriorityP422medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.98%
57.9th percentile
It was found that nmcli, a command line interface to NetworkManager did not honour 802-1x.ca-path and 802-1x.phase2-ca-path settings, when creating a new profile. When a user connects to a network using this profile, the authentication does not happen and the connection is made insecurely.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | network-manager | < network-manager 1.24.2-1 (bookworm) | network-manager 1.24.2-1 (bookworm) |
| fedoraproject | fedora | — | — |
| gnome | networkmanager | < 1.22.14 | 1.22.14 |
| gnome | networkmanager | >= 1.24.0 < 1.24.2 | 1.24.2 |
| network-manager_project | network-manager | >= 0 < 1.24.2-1 | 1.24.2-1 |
| network-manager_project | network-manager | >= 0 < 1.24.2-1 | 1.24.2-1 |
| network-manager_project | network-manager | >= 0 < 1.24.2-1 | 1.24.2-1 |
| network-manager_project | network-manager | >= 0 < 1.24.2-1 | 1.24.2-1 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
osv4.3MEDIUM
vendor_debian4.3LOW
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
NetworkManager: user configuration not honoured leaving the connection unauthenticated via insecure defaults
vendor_redhat·2020-05-29·CVSS 4.3
CVE-2020-10754 [MEDIUM] CWE-455 NetworkManager: user configuration not honoured leaving the connection unauthenticated via insecure defaults
NetworkManager: user configuration not honoured leaving the connection unauthenticated via insecure defaults
It was found that nmcli, a command line interface to NetworkManager did not honour 802-1x.ca-path and 802-1x.phase2-ca-path settings, when creating a new profile. When a user connects to a network using this profile, the authentication does not happen and the connection is made insecurely.
A flaw was found in nmcli, where the command-line interface to the NetworkManager did not accept the 802-1x.ca-path and 802-1x.phase2-ca-path settings when creating a new profile. When a user connects to a network using this profile, the authentication does not happen and an insecure connection occurs.
Package: NetworkManager (Red Hat Enterprise Linux 5) - Out of support scope
Package: Network
Debian
CVE-2020-10754: network-manager - It was found that nmcli, a command line interface to NetworkManager did not hono...
vendor_debian·2020·CVSS 4.3
CVE-2020-10754 [MEDIUM] CVE-2020-10754: network-manager - It was found that nmcli, a command line interface to NetworkManager did not hono...
It was found that nmcli, a command line interface to NetworkManager did not honour 802-1x.ca-path and 802-1x.phase2-ca-path settings, when creating a new profile. When a user connects to a network using this profile, the authentication does not happen and the connection is made insecurely.
Scope: local
bookworm: resolved (fixed in 1.24.2-1)
bullseye: resolved (fixed in 1.24.2-1)
forky: resolved (fixed in 1.24.2-1)
sid: resolved (fixed in 1.24.2-1)
trixie: resolved (fixed in 1.24.2-1)
GHSA
GHSA-r5p6-9327-8hcq: It was found that nmcli, a command line interface to NetworkManager did not honour 802-1x
ghsa_unreviewed·2022-05-24
CVE-2020-10754 [MEDIUM] CWE-306 GHSA-r5p6-9327-8hcq: It was found that nmcli, a command line interface to NetworkManager did not honour 802-1x
It was found that nmcli, a command line interface to NetworkManager did not honour 802-1x.ca-path and 802-1x.phase2-ca-path settings, when creating a new profile. When a user connects to a network using this profile, the authentication does not happen and the connection is made insecurely.
OSV
CVE-2020-10754: It was found that nmcli, a command line interface to NetworkManager did not honour 802-1x
osv·2020-06-08·CVSS 4.3
CVE-2020-10754 [MEDIUM] CVE-2020-10754: It was found that nmcli, a command line interface to NetworkManager did not honour 802-1x
It was found that nmcli, a command line interface to NetworkManager did not honour 802-1x.ca-path and 802-1x.phase2-ca-path settings, when creating a new profile. When a user connects to a network using this profile, the authentication does not happen and the connection is made insecurely.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-10754 NetworkManager: user configuration not honoured leaving the connection unauthenticated via insecure defaults [fedora-all]
bugzilla·2020-05-29·CVSS 4.3
CVE-2020-10754 [MEDIUM] CVE-2020-10754 NetworkManager: user configuration not honoured leaving the connection unauthenticated via insecure defaults [fedora-all]
CVE-2020-10754 NetworkManager: user configuration not honoured leaving the connection unauthenticated via insecure defaults [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit mes
Bugzilla
CVE-2020-10754 NetworkManager: user configuration not honoured leaving the connection unauthenticated via insecure defaults
bugzilla·2020-05-28·CVSS 4.3
CVE-2020-10754 [MEDIUM] CVE-2020-10754 NetworkManager: user configuration not honoured leaving the connection unauthenticated via insecure defaults
CVE-2020-10754 NetworkManager: user configuration not honoured leaving the connection unauthenticated via insecure defaults
The ifcfg-rh settings plugin does not handle the 802-1x.ca-path and 802-1x.phase2-ca-path settings. When a user uses nmcli to configure a profile, it seemingly succeeds, while the modification gets silently lost leaving the connection unauthenticated.
Upstream issue:
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/448
Upstream merge request:
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/518
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1840210
Discussion:
Created NetworkManager tracking bugs for this issue:
Affects: fedora-all [bug 1841395]
---
Upstream patch: https://gitlab.freedesktop.org/Ne
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10754https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/44FTVXWKDYIAMOOP2PZMUY3D2QNWAVBZ/https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10754https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/44FTVXWKDYIAMOOP2PZMUY3D2QNWAVBZ/
2020-06-08
Published