CVE-2024-36041: ksmserver: Unauthorized users can access session manager
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
plasma-workspace (Ubuntu) |
Fix Released
|
High
|
Scarlett Gately Moore | ||
Focal |
Fix Released
|
High
|
Simon Quigley | ||
Jammy |
Fix Released
|
High
|
Simon Quigley | ||
Mantic |
Fix Released
|
High
|
Simon Quigley | ||
Noble |
Fix Released
|
High
|
Simon Quigley |
Bug Description
[ Impact ]
On May 31, 2024, KDE published a security advisory for plasma-workspace: https:/
This was assigned CVE-2024-36041, and affects all stable versions of Kubuntu (and the Ubuntu Studio releases with KDE Plasma).
Overview from the advisory:
KSmserver, KDE's XSMP manager, incorrectly allows connections via ICE based purely on the host, allowing all local connections. This allows another user on the same machine to gain access to the session manager. A well crafted client could use the session restore feature to execute arbitrary code as the user on the next boot.
The fix for this is applying https:/
[ Test Plan ]
Ensure your system is fully updated.
Confirm the vulnerability is present:
1. Install build-essential and libice-dev (for use in the POC).
2. Download the POC: `wget https:/
3. Compile the POC: `gcc -o poc-CVE-2024-36041 ./poc-CVE-
4. Run the POC with a path to the ICE socket belonging to the current user. For example: `./poc-
5. Observe the following output: "Authentication not needed, vulnerable!"
Install the updates from the security-proposed pocket:
1. Add the PPA: `sudo add-apt-repository ppa:ubuntu-
2. Install the updates for plasma-workspace from the PPA:
Noble and Mantic: `sudo apt -y install plasma-workspace`
Jammy: `sudo apt -y install plasma-workspace breeze kwin-x11 libksysguardfor
Focal: `sudo apt -y install plasma-workspace breeze kwin-x11`
Open Firefox.
Confirm session restore and logout work as intended, and that the vulnerability is fixed:
1. Log out of the session and log back in. Confirm Firefox opens as expected.
2. Run the POC again, this time it will be a different socket. Example: `./poc-
3. Observe the following output: `None of the authentication protocols specified are supported. Connection failed! This probably means you're safe.`
[ Where problems could occur ]
The iceauth binary being installed means we do not need https:/
- https:/
- https:/
The test case explicitly covers both of these bugs, to ensure they do not exist.
CVE References
summary: |
- SRu: CVE-2024-36041 Fix ksmserver: Unauthorized users can access session - manager + [SRU] CVE-2024-36041 Fix ksmserver: Unauthorized users can access + session manager |
Changed in plasma-workspace (Ubuntu Noble): | |
milestone: | none → ubuntu-24.04.1 |
description: | updated |
summary: |
- [SRU] CVE-2024-36041 Fix ksmserver: Unauthorized users can access - session manager + CVE-2024-36041: ksmserver: Unauthorized users can access session manager |
description: | updated |
description: | updated |
This bug was fixed in the package plasma-workspace - 4:5.27. 11.1-0ubuntu1
--------------- 11.1-0ubuntu1) oracular; urgency=medium
plasma-workspace (4:5.27.
* New upstream release to fix CVE-2024-36041 Fix ksmserver:
Unauthorized users can access session manager. Sru: (LP: #2067742)
* Remove applied upstream patch.
-- Scarlett Moore <email address hidden> Fri, 31 May 2024 08:13:09 -0700