[systemsettings] [Bug 514986] New: Wifi with tunnelled EAP: no specifying CA leaves users vulnerable to MITM

Fri, 23 Jan 2026 10:36:52 -0800 

https://bugs.kde.org/show_bug.cgi?id=514986

            Bug ID: 514986
           Summary: Wifi with tunnelled EAP: no specifying CA leaves users
                    vulnerable to MITM
    Classification: Applications
           Product: systemsettings
      Version First 6.5.5
       Reported In:
          Platform: Fedora RPMs
                OS: Linux
            Status: REPORTED
          Severity: normal
          Priority: NOR
         Component: kcm_networkmanagement
          Assignee: [email protected]
          Reporter: [email protected]
                CC: [email protected]
  Target Milestone: ---

SUMMARY

When configuring a wifi connection with WPA/WPA2 Enterprise security using a
tunnelled EAP method (TTLS or PEAP), not selecting a CA file disables
certificate checking of RADIUS server certificates. This leaves users
vulnerable to MITM attacks which expose tunnelled credentials.

STEPS TO REPRODUCE
1. Configure a wifi connection.
2. Select WPA/WPA2 Enterprise.
3. Select PEAP or TTLS (configure all necessary login and second phase data).
4. Leave CA certificate empty.
5. Connect to a WPA/WPA2 enterprise wifi with an EAP method configured that
matches the one configured above and use a self-signed certificate for the
RADIUS server.

OBSERVED RESULT

Any self-signed RADIUS server certificate is accepted.

EXPECTED RESULT

A RADIUS server certificate signed by an unknown CA should be rejected.

SOFTWARE/OS VERSIONS
Linux/KDE Plasma:
KDE Plasma Version: 6.5.5
KDE Frameworks Version: 6.22.0 
Qt Version: 6.10.1

ADDITIONAL INFORMATION

The network manager documentation
(https://networkmanager.dev/docs/api/1.46/settings-802-1x.html
) says:

"ca-cert: […] This property can be unset even if the EAP method supports CA
certificates, but this allows man-in-the-middle attacks and is NOT recommended.
[…]"

It also says:

"system-ca-certs: When TRUE, overrides the "ca-path" and "phase2-ca-path"
properties using the system CA directory specified at configure time with the
--system-ca-path switch. [...]"

A possible workaround would be to set "system-ca-certs" to "TRUE" if "ca-cert"
is unset in the network settings. This would let a connection to a RADIUS
server fail if it's signed by an unknown CA.

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to