CVE-2024-36041
📋 TL;DR
This vulnerability in KDE Plasma Workspace allows local users on the same machine to connect to the KSmserver session manager via ICE without proper authentication. Attackers can exploit this to gain access to the victim's session manager and potentially execute arbitrary code on the next system boot. Users running affected versions of KDE Plasma Workspace are at risk.
💻 Affected Systems
- KDE Plasma Workspace (plasma-workspace)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access can execute arbitrary code as the victim user on system boot, potentially leading to full system compromise, privilege escalation, or persistent backdoor installation.
Likely Case
Local attackers can hijack user sessions, access sensitive session data, and potentially execute malicious code in the victim's context during session restoration.
If Mitigated
With proper access controls and user separation, impact is limited to unauthorized session access without code execution.
🎯 Exploit Status
Requires local access and knowledge of the target user's session. Exploitation involves manipulating session restore via /tmp directory abuse.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.27.11.1 or 6.0.5.1 and later
Vendor Advisory: https://kde.org/info/security/advisory-20240531-1.txt
Restart Required: Yes
Instructions:
1. Update plasma-workspace package using your distribution's package manager. 2. For KDE Plasma 5: Upgrade to version 5.27.11.1 or later. 3. For KDE Plasma 6: Upgrade to version 6.0.5.1 or later. 4. Restart the system or at least restart the KDE session.
🔧 Temporary Workarounds
Restrict local user access
linuxLimit local user accounts to trusted individuals only and implement strict user separation policies.
Monitor /tmp directory usage
linuxImplement monitoring for suspicious file creation or modification in /tmp directories related to KDE sessions.
inotifywait -m /tmp -e create,modify | grep -i kde
🧯 If You Can't Patch
- Implement strict user access controls and limit local user accounts to essential personnel only.
- Use separate physical or virtual machines for different users instead of multi-user configurations.
🔍 How to Verify
Check if Vulnerable:
Check plasma-workspace package version: dpkg -l | grep plasma-workspace (Debian/Ubuntu) or rpm -q plasma-workspace (RHEL/Fedora). If version is below 5.27.11.1 for Plasma 5 or below 6.0.5.1 for Plasma 6, system is vulnerable.Check Version:
plasmashell --version 2>/dev/null | head -1 || echo "Check package manager for plasma-workspace version"Verify Fix Applied:
Verify plasma-workspace package version is 5.27.11.1 or higher for Plasma 5, or 6.0.5.1 or higher for Plasma 6.📡 Detection & Monitoring
Log Indicators:
- Unusual KSmserver connection attempts from different local users
- Suspicious file operations in /tmp related to KDE session files
- Unexpected session manager activity
Network Indicators:
- Local ICE connection attempts between user sessions
SIEM Query:
process_name:"ksmserver" AND event_type:"connection" AND src_user != dst_user🔗 References
- https://github.com/KDE/plasma-workspace/tags
- https://invent.kde.org/plasma/plasma-workspace/
- https://kde.org/info/security/advisory-20240531-1.txt
- https://www.x.org/releases/X11R7.7/doc/libSM/xsmp.html
- https://github.com/KDE/plasma-workspace/tags
- https://invent.kde.org/plasma/plasma-workspace/
- https://kde.org/info/security/advisory-20240531-1.txt
- https://lists.debian.org/debian-lts-announce/2024/06/msg00002.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43YGQJGB5I33UBRY2OHXTPXIEESZLZ6N/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DNOZWSWXAR6EM3VIUJRSAI3L4QPURQPC/
- https://www.x.org/releases/X11R7.7/doc/libSM/xsmp.html
