Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
freebsdFreeBSDC71ED065-0600-11EB-8758-E0D55E2A8BF9
HistoryOct 02, 2020 - 12:00 a.m.

kdeconnect -- packet manipulation can be exploited in a Denial of Service attack

2020-10-0200:00:00
vuxml.freebsd.org
20

4.9 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:N/I:N/A:C

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

0.0005 Low

EPSS

Percentile

17.1%

JSON

Albert Astals Cid reports:

KDE Project Security Advisory

Title
KDE Connect: packet manipulation can be exploited in a Denial of Service attack

Risk Rating
Important

CVE
CVE-2020-26164

Versions
kdeconnect <= 20.08.1

Author
Albert Vaca Cintora <[email protected]>

Date
2 October 2020

Overview

      An attacker on your local network could send maliciously crafted
      packets to other hosts running kdeconnect on the network, causing
      them to use large amounts of CPU, memory or network connections,
      which could be used in a Denial of Service attack within the
      network.

Impact

      Computers that run kdeconnect are susceptible to DoS attacks from
      the local network.

Workaround

      We advise you to stop KDE Connect when on untrusted networks like
      those on airports or conferences.
    

      Since kdeconnect is dbus activated it is relatively hard to make
      sure it stays stopped so the brute force approach is to uninstall
      the kdeconnect package from your system and then run
    

      kquitapp5 kdeconnectd
  

    Just install the package again once you're back in a trusted
    network.

Solution

    KDE Connect 20.08.2 patches several code paths that could result
    in a DoS.

You can apply these patches on top of 20.08.1:

      https://invent.kde.org/network/kdeconnect-kde/-/commit/f183b5447bad47655c21af87214579f03bf3a163
    

      https://invent.kde.org/network/kdeconnect-kde/-/commit/b279c52101d3f7cc30a26086d58de0b5f1c547fa
    

      https://invent.kde.org/network/kdeconnect-kde/-/commit/d35b88c1b25fe13715f9170f18674d476ca9acdc
    

      https://invent.kde.org/network/kdeconnect-kde/-/commit/b496e66899e5bc9547b6537a7f44ab44dd0aaf38
    

      https://invent.kde.org/network/kdeconnect-kde/-/commit/5310eae85dbdf92fba30375238a2481f2e34943e
    

      https://invent.kde.org/network/kdeconnect-kde/-/commit/721ba9faafb79aac73973410ee1dd3624ded97a5
    

      https://invent.kde.org/network/kdeconnect-kde/-/commit/ae58b9dec49c809b85b5404cee17946116f8a706
    

      https://invent.kde.org/network/kdeconnect-kde/-/commit/66c768aa9e7fba30b119c8b801efd49ed1270b0a
    

      https://invent.kde.org/network/kdeconnect-kde/-/commit/85b691e40f525e22ca5cc4ebe79c361d71d7dc05
    

      https://invent.kde.org/network/kdeconnect-kde/-/commit/48180b46552d40729a36b7431e97bbe2b5379306

Credits

    Thanks Matthias Gerstner and the openSUSE security team for
    reporting the issue.
  

    Thanks to Aleix Pol, Nicolas Fella and Albert Vaca Cintora for the
    patches.
OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchkdeconnect-kde<= 20.08.1UNKNOWN

Related

cvelist 1
nessus 3
mageia 1
alpinelinux 1
openvas 2
suse 3
gentoo 1
debiancve 1
nvd 1
prion 1
archlinux 1
ubuntucve 1
osv 1
cve 1
cvelist
cvelist
CVE-2020-26164
2020-10-07 18:07:51
nessus
nessus
openSUSE Security Update : kdeconnect-kde (openSUSE-2020-1631)
2020-10-08 00:00:00
FreeBSD : kdeconnect -- packet manipulation can be exploited in a Denial of Service attack (c71ed065-0600-11eb-8758-e0d55e2a8bf9)
2020-10-05 00:00:00
GLSA-202101-16 : KDE Connect: Denial of service
2021-01-25 00:00:00
mageia
mageia
Updated kdeconnect-kde packages fix a security vulnerability
2020-11-14 00:20:36
alpinelinux
alpinelinux
CVE-2020-26164
2020-10-07 19:15:12
openvas
openvas
openSUSE: Security Advisory for kdeconnect-kde (openSUSE-SU-2020:1631-1)
2020-10-08 00:00:00
Mageia: Security Advisory (MGASA-2020-0416)
2022-01-28 00:00:00
suse
suse
Security update for kdeconnect-kde (important)
2020-10-10 00:00:00
Security update for kdeconnect-kde (important)
2020-10-07 00:00:00
Security update for kdeconnect-kde (important)
2020-10-10 00:00:00
gentoo
gentoo
KDE Connect: Denial of service
2021-01-22 00:00:00
debiancve
debiancve
CVE-2020-26164
2020-10-07 19:15:12
nvd
nvd
CVE-2020-26164
2020-10-07 19:15:12
prion
prion
Code injection
2020-10-07 19:15:00
archlinux
archlinux
[ASA-202010-7] kdeconnect: arbitrary code execution
2020-10-18 00:00:00
ubuntucve
ubuntucve
CVE-2020-26164
2020-10-07 00:00:00
osv
osv
CVE-2020-26164
2020-10-07 19:15:12
cve
cve
CVE-2020-26164
2020-10-07 19:15:12

4.9 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:N/I:N/A:C

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

0.0005 Low

EPSS

Percentile

17.1%

JSON
Related for C71ED065-0600-11EB-8758-E0D55E2A8BF9
cvelist1nessus3mageia1alpinelinux1openvas2suse3gentoo1debiancve1nvd1prion1archlinux1ubuntucve1osv1cve1