SB2025041809 - Multiple vulnerabilities in KDE Connect apps
Published: April 18, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Input validation error (CVE-ID: CVE-2025-32899)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the way the application handles broadcast UDP packets. When receiving an invalid discovery UDP packet the application tries unpairing the device that sent the packet. A remote attacker can send malformed UDP packets and disrupt network connectivity.
2) Input validation error (CVE-ID: CVE-2025-32901)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when handling UDP broadcasts. A remote attacker on the local network can send a specially crafted UDP broadcast packet and crash the application.
3) Insufficient verification of data authenticity (CVE-ID: CVE-2025-32900)
CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to impersonate other devices on the network.
The vulnerability exists due to the way KDE Connect handles broadcasts and discovers devices inside the network. A remote attacker on the local network can send broadcast UDP packets that contain display name of another system and perform spoofing attack.
4) Improper Authentication (CVE-ID: CVE-2025-32898)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows an attacker to bypass authentication process.
The vulnerability exists due to usage of a weak authentication mechanism when pairing devices. KDE Connect displays an 8-character-long verification code when pairing two devices that is generated from the devices public keys. An attacker with physical proximity to device can brute-force the a key pair such that the resulting verification code matches the one of another device they try to impersonate.
Note, this attack can be launched remotely if an attacker has a presence in the victim's network through a compromised system.
Remediation
Install update from vendor's website.