Date: Mon, 30 Nov 2020 10:09:41 +0100 From: Matthias Gerstner <mgerstner@...e.de> To: oss-security@...ts.openwall.com Subject: Re: kdeconnect: CVE-2020-26164: multiple security issues in kdeconnectd network daemon Hi, On Tue, Oct 13, 2020 at 02:29:12PM +0200, Matthias Gerstner wrote: > following is a security review report concerning kdeconnect . this is an amendment to my original report. Upstream wanted to keep this private until they had something to address it. Originally I raised the following additional concern: ## General Observations and Recommendations ### Pairing Procedure The pairing procedure currently seems lacking. The GUI component only presents the friendly 'deviceName' to identify peer devices, which is completely under attacker control. Furthermore the 'deviceName' is transmitted in cleartext in UDP broadcast messages for all other nodes in the network segment to see. Therefore malicious devices can attempt to confuse users by requesting a pairing under the same 'deviceName' to gain access to a system. I strongly suggest to introduce a secure procedure here, like displaying the certificate fingerprint to the user. Upstream addresses this now . A sha256 fingerprint of the concatenated public keys of the two involved certificates is displayed. I'm not completely happy with the chosen solution, because in the initial popup only a prefix of 8 hex digits of the fingerprint is displayed. The full fingerprint is only reachable via an additional "view key" button. There are no additional instructions for the end user and no explanation about the severity of trusting a device. At least in theory it is now possible to do a proper peer device verification. Other discussed approaches to make the verification more user friendly and/or more secure would have been: - displaying a randomart image in the fashion of ssh-keygen. - scanning a QR code displayed on the PC end using the kdeconnect Android app. - requiring the user to enter (at least part of) the fingerprint on the PC end to force proper user interaction. Since the pairing procedure should not occur very often and given the importance of verifying device identity this would have been justified. : https://github.com/KDE/kdeconnect-kde/commit/e7518493df7398f27f7dffbfc3f79750bc1fda50 Cheers Matthias Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.