SuSE Update for NetworkManager, wpa_supplicant, NetworkManager-gnome SUSE-SA:2011:045

Impact
man in the middle
Solution
Please Install the Updated Packages.
Insight
When 802.11X authentication is used (ie WPA Enterprise) NetworkManager did not pin a certificate's subject to an ESSID. A rogue access point could therefore be used to conduct MITM attacks by using any other valid certificate issued by the same CA as used in the original network CVE-2006-7246. If password based authentication is used (e.g. via PEAP or EAP-TTLS) this means an attacker could sniff and potentially crack the password hashes of the victims. The certificate checks are only performed on newly created connections. Users must therefore delete and re-create any existing WPA Enterprise connections using e.g. nm-connection-editor to take advantage of the checks. knetworkmanager is also affected by but a fix is currently not available. Users of knetworkmanager are advised to use nm-applet for 802.11X networks instead. The following document gives a more detailed explanation about the problem in general. Administrators are advised to take the opportunity to review security of their wireless networks if 802.11X authentication is used. http://www.suse.de/~lnussel/The_Evil_Twin_problem_with_WPA2-Enterprise_v1.1.pdf
Affected
NetworkManager, wpa_supplicant, NetworkManager-gnome on openSUSE 11.3, openSUSE 11.4
References