CVE-2019-14744 – CVE-2019-14744 is a code execution vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2019-14744?

CVE-2019-14744 has a CVSS score of 7.8 (HIGH). CVE-2019-14744 is a code execution vulnerability in KDE Frameworks KConfig where malicious .desktop or .directory files can execute arbitrary shell commands when processed. This affects KDE desktop environments and applications using KConfig before version 5.61.0. Users who open or interact with crafted desktop files are vulnerable.

📋 TL;DR

CVE-2019-14744 is a code execution vulnerability in KDE Frameworks KConfig where malicious .desktop or .directory files can execute arbitrary shell commands when processed. This affects KDE desktop environments and applications using KConfig before version 5.61.0. Users who open or interact with crafted desktop files are vulnerable.

💻 Affected Systems

Products:

KDE Frameworks KConfig
KDE Plasma Desktop
Applications using KConfig

Versions: Versions before 5.61.0

Operating Systems: Linux distributions with KDE (openSUSE, Fedora, Ubuntu KDE, etc.)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all default KDE configurations that process .desktop or .directory files.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining user-level privileges and potentially escalating to root through subsequent exploits.

🟠

Likely Case

Local privilege escalation or arbitrary code execution when user opens malicious desktop file.

🟢

If Mitigated

No impact if patched or if desktop files from untrusted sources are blocked.

🌐 Internet-Facing: LOW - Requires user interaction with malicious files, not directly network exploitable.

🏢 Internal Only: MEDIUM - Internal users could craft malicious desktop files for lateral movement or privilege escalation.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user to open malicious desktop file. Proof of concept involves crafted Icon line with shell commands.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: KDE Frameworks 5.61.0 or later

Vendor Advisory: https://access.redhat.com/errata/RHSA-2019:2606

Restart Required: Yes

Instructions:

1. Update KDE Frameworks to version 5.61.0 or later using your distribution's package manager. 2. Restart KDE desktop session or affected applications. 3. For distributions: Apply security updates from vendor repositories.

🔧 Temporary Workarounds

Disable desktop file execution

linux

Configure system to not execute shell commands from desktop files

echo 'No direct command available - requires KConfig configuration changes'

Restrict desktop file sources

linux

Only allow desktop files from trusted sources

chmod 644 ~/.local/share/applications/*.desktop
chown root:root /usr/share/applications/*.desktop

🧯 If You Can't Patch

Restrict user permissions to create/modify desktop files in shared directories
Implement application whitelisting to prevent execution of unknown desktop applications

🔍 How to Verify

Check if Vulnerable:

Check KDE Frameworks version: dpkg -l | grep libkf5config-core or rpm -qa | grep kf5-kconfig-core

Check Version:

kf5-config --version | grep -i config

Verify Fix Applied:

Verify version is 5.61.0 or higher: kf5-config --version | grep KConfig

📡 Detection & Monitoring

Log Indicators:

Unusual desktop file executions
Shell commands originating from desktop file processing

Network Indicators:

None - local exploitation only

SIEM Query:

process.name: "kdeinit*" AND cmdline: "*.desktop" AND cmdline: "sh -c"

📊 Metadata

CVE ID: CVE-2019-14744

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: August 7, 2019

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00013.html Mailing List,Patch,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00016.html Mailing List,Patch,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00034.html Mailing List,Third Party Advisory
http://packetstormsecurity.com/files/153981/Slackware-Security-Advisory-kdelibs-Updates.html Patch,Third Party Advisory,VDB Entry
https://access.redhat.com/errata/RHSA-2019:2606 Third Party Advisory
https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/08/msg00023.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5IRIKH7ZWXELIQT6WSLV7EG3VTFWKZPD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNHO6FZRYBQ2R3UCFDGS66F6DNNTKCMM/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYKLUSSEK3YJOVQDL6K2LKGS3354UH6L/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTFBQRJAU7ITD3TOMPZAUQMYYCAZ6DTX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YIDXQ6CUB5E7Y3MJWCUY4VR42QAE6SCJ/
https://seclists.org/bugtraq/2019/Aug/12 Mailing List,Third Party Advisory
https://seclists.org/bugtraq/2019/Aug/9 Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/201908-07 Third Party Advisory
https://usn.ubuntu.com/4100-1/ Third Party Advisory
https://www.debian.org/security/2019/dsa-4494 Third Party Advisory
https://www.zdnet.com/article/unpatched-kde-vulnerability-disclosed-on-twitter/ Press/Media Coverage,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00013.html Mailing List,Patch,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00016.html Mailing List,Patch,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00034.html Mailing List,Third Party Advisory
http://packetstormsecurity.com/files/153981/Slackware-Security-Advisory-kdelibs-Updates.html Patch,Third Party Advisory,VDB Entry
https://access.redhat.com/errata/RHSA-2019:2606 Third Party Advisory
https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/08/msg00023.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5IRIKH7ZWXELIQT6WSLV7EG3VTFWKZPD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNHO6FZRYBQ2R3UCFDGS66F6DNNTKCMM/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYKLUSSEK3YJOVQDL6K2LKGS3354UH6L/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTFBQRJAU7ITD3TOMPZAUQMYYCAZ6DTX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YIDXQ6CUB5E7Y3MJWCUY4VR42QAE6SCJ/
https://seclists.org/bugtraq/2019/Aug/12 Mailing List,Third Party Advisory
https://seclists.org/bugtraq/2019/Aug/9 Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/201908-07 Third Party Advisory
https://usn.ubuntu.com/4100-1/ Third Party Advisory
https://www.debian.org/security/2019/dsa-4494 Third Party Advisory
https://www.zdnet.com/article/unpatched-kde-vulnerability-disclosed-on-twitter/ Press/Media Coverage,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-14744, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Backports Sle by Opensuse

Debian Linux by Debian

Debian Linux by Debian

Enterprise Linux Desktop by Redhat

Enterprise Linux Server by Redhat

Enterprise Linux Workstation by Redhat

Fedora by Fedoraproject

Fedora by Fedoraproject

Kconfig by Kde

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable desktop file execution

Restrict desktop file sources

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities