Main Vulnerability Database SB2020113009

SB2020113009 - Spoofing attack in KDE Connect

Published: November 30, 2020

Security Bulletin ID SB2020113009

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Adjecent network

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Spoofing attack (CVE-ID: N/A)

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to the GUI component in KDE Connect presents only the friendly "deviceName" identifier to identify the pair during connection. The device name is sent in clear text in UDP broadcast messages for all nodes in the same network segment. A remote attacker can obtain the device name of a real system in the network and later use it in a spoofing attack.

Remediation

Install update from vendor's website.

References

http://seclists.org/oss-sec/2020/q4/169
https://github.com/KDE/kdeconnect-kde/commit/e7518493df7398f27f7dffbfc3f79750bc1fda50