[Bug 2067742] Re: [SRU] CVE-2024-36041 Fix ksmserver: Unauthorized users can access session manager

Wed Jun 19 16:21:55 UTC 2024

** Description changed:

  [ Impact ]
  
-  * ksmserver: Unauthorized users can access session manager
+ On May 31, 2024, KDE published a security advisory for plasma-workspace:
+ https://kde.org/info/security/advisory-20240531-1.txt
  
-  * CVE-2024-36041 security
+ This was assigned CVE-2024-36041, and affects all stable versions of
+ Kubuntu (and the Ubuntu Studio releases with KDE Plasma).
+ 
+ Overview from the advisory:
+ KSmserver, KDE's XSMP manager, incorrectly allows connections via ICE based purely on the host, allowing all local connections. This allows another user on the same machine to gain access to the session manager. A well crafted client could use the session restore feature to execute arbitrary code as the user on the next boot.
+ 
+ The fix for this is applying https://invent.kde.org/plasma/plasma-
+ workspace/-/commit/da843d3fdb143ed44094c8e6246cfb8305f6f09f (iceauth is
+ already installed by default).
  
  [ Test Plan ]
  
-  * KSmserver, KDE's XSMP manager, incorrectly allows connections via ICE
- based purely on the host, allowing all local connections. This allows
- another user on the same machine to gain access to the session
- manager.
+ Ensure your system is fully updated.
  
- A well crafted client could use the session restore feature to execute
- arbitrary code as the user on the next boot.
+ Confirm the vulnerability is present:
+  1. Install build-essential and libice-dev (for use in the POC).
+  2. Download the POC: `wget https://launchpadlibrarian.net/735809918/poc-CVE-2024-36041.c`
+  3. Compile the POC: `gcc -o poc-CVE-2024-36041 ./poc-CVE-2024-36041.c -lICE`
+  4. Run the POC with a path to the ICE socket belonging to the current user. For example: `./poc-CVE-2024-36041 local/:/tmp/.ICE-unix/1878`
+  5. Observe the following output: "Authentication not needed, vulnerable!"
  
+ Install the updates from the security-proposed pocket:
+  1. Add the PPA: `sudo add-apt-repository ppa:ubuntu-security-proposed/ppa`
+  2. Install the updates for plasma-workspace from the PPA: `sudo apt -y install plasma-workspace`
+ 
+ Open Firefox.
+ 
+ Confirm session restore and logout work as intended, and that the vulnerability is fixed:
+  1. Log out of the session and log back in. Confirm Firefox opens as expected.
+  2. Run the POC again, this time it will be a different socket. Example: `./poc-CVE-2024-36041 local/:/tmp/.ICE-unix/5920`
+  3. Observe the following output: `None of the authentication protocols specified are supported. Connection failed! This probably means you're safe.`
  
  [ Where problems could occur ]
  
+ The iceauth binary being installed means we do not need https://invent.kde.org/plasma/plasma-workspace/-/commit/1d5aa1d27bff87b2d242ed759cfb2ce15a5c3de7 as well. Several bug reports have been filed regarding this:
+  - https://bugzilla.redhat.com/show_bug.cgi?id=2290337
+  - https://bugs.kde.org/show_bug.cgi?id=488187
  
- [ Other Info ]
-  
-  * New release to fix CVE
+ The test case explicitly covers both of these bugs, to ensure they do
+ not exist.

** Summary changed:

- [SRU] CVE-2024-36041 Fix ksmserver: Unauthorized users can access session manager
+ CVE-2024-36041: ksmserver: Unauthorized users can access session manager

-- 
You received this bug notification because you are a member of Kubuntu
Bugs, which is subscribed to plasma-workspace in Ubuntu.
https://bugs.launchpad.net/bugs/2067742

Title:
  CVE-2024-36041: ksmserver: Unauthorized users can access session
  manager

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/plasma-workspace/+bug/2067742/+subscriptions