CVE-2009-0365 in Linux
Summary
by MITRE
nm-applet.conf in GNOME NetworkManager before 0.7.0.99 contains an incorrect deny setting, which allows local users to discover (1) network connection passwords and (2) pre-shared keys via calls to the GetSecrets method in the dbus request handler.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/30/2019
The vulnerability identified as CVE-2009-0365 represents a critical access control flaw in the GNOME NetworkManager application, specifically within the nm-applet.conf configuration file. This issue affects versions prior to 0.7.0.99 and demonstrates a significant security weakness in how the system handles authentication credentials. The flaw resides in the incorrect deny setting that governs access to sensitive network information through the D-Bus interface, creating an exploitable path for local attackers to bypass intended security controls. The vulnerability operates at the application level within the network management subsystem, where proper privilege separation has been compromised.
The technical implementation of this vulnerability exploits the D-Bus request handler mechanism by targeting the GetSecrets method, which is designed to retrieve authentication credentials for network connections. The incorrect deny setting in nm-applet.conf fails to properly restrict access to this method, allowing unauthorized local processes to invoke the GetSecrets functionality without proper authentication. This misconfiguration enables attackers to extract sensitive information including network connection passwords and pre-shared keys that should remain protected within the system's secure credential storage mechanisms. The flaw essentially creates a backdoor path through which local users can access credentials that are normally restricted to authorized system components.
From an operational impact perspective, this vulnerability exposes organizations to significant risk as local users can potentially gain access to network authentication credentials without requiring elevated privileges. The extracted information includes both passwords and pre-shared keys, which could provide attackers with access to wireless networks, VPN connections, and other secured network resources. This vulnerability particularly affects environments where multiple users share a single system or where privilege escalation opportunities exist, as local access to network credentials can lead to broader network compromise. The attack vector is relatively simple and does not require sophisticated techniques, making it particularly dangerous in environments with insufficient user access controls.
The vulnerability aligns with CWE-284, which describes improper access control in software systems, and demonstrates how configuration errors can create security weaknesses. From an ATT&CK framework perspective, this vulnerability maps to T1566, representing the initial access through phishing or credential compromise, and T1078, representing legitimate credentials usage. The flaw also relates to T1552, which covers credentials harvesting, and T1003, which addresses credential access through system services. Organizations affected by this vulnerability should immediately implement patch management procedures to upgrade to NetworkManager version 0.7.0.99 or later, where the incorrect deny setting has been corrected. Additionally, system administrators should review D-Bus access controls and implement proper privilege separation to prevent unauthorized access to network credential storage. The recommended mitigation includes verifying that the nm-applet.conf file contains appropriate deny rules and that the D-Bus interface properly restricts access to GetSecrets method based on user privileges and authentication requirements.