NetworkManager Improper File Access Vulnerability Allowing Certificate Misuse

A vulnerability exists in NetworkManager that allows non-root users to access files belonging to other users, specifically certificates. This issue arises because the NetworkManager daemon operates with root privileges, enabling it to read files across different user accounts. The vulnerability can be exploited by users to authenticate with VPN servers or 802.1X protected WiFi using another user's certificate. The problem is exacerbated when NetworkManager is configured to allow non-admin users to create system-wide connections, as the daemon will activate these connections without revealing the user's identity.

Impact

Exploitation of this vulnerability could lead to unauthorized authentication using another user's certificates, potentially allowing access to secured resources or services, such as VPNs or protected WiFi networks.

Reproduction

To reproduce this vulnerability, a non-admin user can create a private network connection and specify a path to another user's certificate. When the connection is activated, NetworkManager, running with elevated privileges, will bypass file access permissions and use the certificate for authentication. Alternatively, if the 'modify_system=yes' option is enabled, the user can create a system-wide connection, which poses an even greater risk as it does not track who initiated the connection.

Remediation

Users can upgrade to a version of NetworkManager that has addressed this vulnerability. For those using a version that allows the 'modify_system' option, it's recommended to manually add a Polkit rule to prevent non-admin users from creating system-wide connections.