Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 30 Nov 2020 10:09:41 +0100
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: kdeconnect: CVE-2020-26164: multiple security
 issues in kdeconnectd network daemon

Hi,

On Tue, Oct 13, 2020 at 02:29:12PM +0200, Matthias Gerstner wrote:
> following is a security review report concerning kdeconnect [1].

this is an amendment to my original report. Upstream wanted to keep this
private until they had something to address it. Originally I raised the
following additional concern:

    ## General Observations and Recommendations
      
    ### Pairing Procedure
    
    The pairing procedure currently seems lacking. The GUI component only presents
    the friendly 'deviceName' to identify peer devices, which is completely under
    attacker control. Furthermore the 'deviceName' is transmitted in cleartext in
    UDP broadcast messages for all other nodes in the network segment to see.
    Therefore malicious devices can attempt to confuse users by requesting a
    pairing under the same 'deviceName' to gain access to a system.
    
    I strongly suggest to introduce a secure procedure here, like displaying the
    certificate fingerprint to the user.

Upstream addresses this now [1]. A sha256 fingerprint of the
concatenated public keys of the two involved certificates is displayed.
I'm not completely happy with the chosen solution, because in the
initial popup only a prefix of 8 hex digits of the fingerprint is
displayed. The full fingerprint is only reachable via an additional
"view key" button. There are no additional instructions for the end user
and no explanation about the severity of trusting a device. At least in
theory it is now possible to do a proper peer device verification.

Other discussed approaches to make the verification more user friendly
and/or more secure would have been:

- displaying a randomart image in the fashion of ssh-keygen.
- scanning a QR code displayed on the PC end using the kdeconnect
  Android app.
- requiring the user to enter (at least part of) the fingerprint on the
  PC end to force proper user interaction. Since the pairing procedure
  should not occur very often and given the importance of verifying
  device identity this would have been justified.

[1]: https://github.com/KDE/kdeconnect-kde/commit/e7518493df7398f27f7dffbfc3f79750bc1fda50

Cheers

Matthias

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.