CVE-2012-1096: 
Linux Ubuntu vulnerability analysis and mitigation

NetworkManager 0.9 and earlier contains a security vulnerability (CVE-2012-1096) that allows local users to use other users' certificates or private keys when making a connection via the file path when adding a new connection. The vulnerability was discovered in early 2012 and was reported by Ludwig Nussel of the SUSE security team (SUSE Bug).

The vulnerability stems from NetworkManager's design where it stores path names to certificates and key files, allowing the daemon (running as root) to access user files. The issue has a CVSS 3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating local access is required and the impact is primarily on confidentiality (NVD). The vulnerability is classified as CWE-295 (Improper Certificate Validation).

The vulnerability allows local users to specify arbitrary file paths for certificates and private keys when creating network connections. While it doesn't allow direct reading of arbitrary file contents, it enables users to utilize other users' certificates or private keys in WPA-based connections even without direct read access to those files (GNOME Bug).

As a mitigation, administrators can restrict untrusted users from creating NetworkManager connections through PolicyKit controls. The long-term fix involves moving away from file-based certificates to PKCS11 URLs, though complete removal of file-based support remains a distant goal (GNOME Bug).