CVE-2024-36041: ksmserver: Unauthorized users can access session manager

Bug #2067742 reported by Scarlett Gately Moore
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
plasma-workspace (Ubuntu)
Fix Released
High
Scarlett Gately Moore
Focal
Fix Released
High
Simon Quigley
Jammy
Fix Released
High
Simon Quigley
Mantic
Fix Released
High
Simon Quigley
Noble
Fix Released
High
Simon Quigley

Bug Description

[ Impact ]

On May 31, 2024, KDE published a security advisory for plasma-workspace: https://kde.org/info/security/advisory-20240531-1.txt

This was assigned CVE-2024-36041, and affects all stable versions of Kubuntu (and the Ubuntu Studio releases with KDE Plasma).

Overview from the advisory:
KSmserver, KDE's XSMP manager, incorrectly allows connections via ICE based purely on the host, allowing all local connections. This allows another user on the same machine to gain access to the session manager. A well crafted client could use the session restore feature to execute arbitrary code as the user on the next boot.

The fix for this is applying https://invent.kde.org/plasma/plasma-workspace/-/commit/da843d3fdb143ed44094c8e6246cfb8305f6f09f (iceauth is already installed by default).

[ Test Plan ]

Ensure your system is fully updated.

Confirm the vulnerability is present:
 1. Install build-essential and libice-dev (for use in the POC).
 2. Download the POC: `wget https://launchpadlibrarian.net/735809918/poc-CVE-2024-36041.c`
 3. Compile the POC: `gcc -o poc-CVE-2024-36041 ./poc-CVE-2024-36041.c -lICE`
 4. Run the POC with a path to the ICE socket belonging to the current user. For example: `./poc-CVE-2024-36041 local/:/tmp/.ICE-unix/1878`
 5. Observe the following output: "Authentication not needed, vulnerable!"

Install the updates from the security-proposed pocket:
 1. Add the PPA: `sudo add-apt-repository ppa:ubuntu-security-proposed/ppa`
 2. Install the updates for plasma-workspace from the PPA:
   Noble and Mantic: `sudo apt -y install plasma-workspace`
   Jammy: `sudo apt -y install plasma-workspace breeze kwin-x11 libksysguardformatter1`
   Focal: `sudo apt -y install plasma-workspace breeze kwin-x11`

Open Firefox.

Confirm session restore and logout work as intended, and that the vulnerability is fixed:
 1. Log out of the session and log back in. Confirm Firefox opens as expected.
 2. Run the POC again, this time it will be a different socket. Example: `./poc-CVE-2024-36041 local/:/tmp/.ICE-unix/5920`
 3. Observe the following output: `None of the authentication protocols specified are supported. Connection failed! This probably means you're safe.`

[ Where problems could occur ]

The iceauth binary being installed means we do not need https://invent.kde.org/plasma/plasma-workspace/-/commit/1d5aa1d27bff87b2d242ed759cfb2ce15a5c3de7 as well. Several bug reports have been filed regarding this:
 - https://bugzilla.redhat.com/show_bug.cgi?id=2290337
 - https://bugs.kde.org/show_bug.cgi?id=488187

The test case explicitly covers both of these bugs, to ensure they do not exist.

CVE References

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package plasma-workspace - 4:5.27.11.1-0ubuntu1

---------------
plasma-workspace (4:5.27.11.1-0ubuntu1) oracular; urgency=medium

  * New upstream release to fix CVE-2024-36041 Fix ksmserver:
  Unauthorized users can access session manager. Sru: (LP: #2067742)
  * Remove applied upstream patch.

 -- Scarlett Moore <email address hidden> Fri, 31 May 2024 08:13:09 -0700

Changed in plasma-workspace (Ubuntu):
status: New → Fix Released
summary: - SRu: CVE-2024-36041 Fix ksmserver: Unauthorized users can access session
- manager
+ [SRU] CVE-2024-36041 Fix ksmserver: Unauthorized users can access
+ session manager
Changed in plasma-workspace (Ubuntu Noble):
milestone: none → ubuntu-24.04.1
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Proposed package upload rejected

An upload of plasma-workspace to noble-proposed has been rejected from the upload queue for the following reason: "include all bugs in .changes, maybe squash the changelog entries while at it".

Revision history for this message
Simon Quigley (tsimonq2) wrote : Re: [SRU] CVE-2024-36041 Fix ksmserver: Unauthorized users can access session manager
Changed in plasma-workspace (Ubuntu):
importance: Undecided → High
Changed in plasma-workspace (Ubuntu Focal):
importance: Undecided → High
Changed in plasma-workspace (Ubuntu Jammy):
importance: Undecided → High
Changed in plasma-workspace (Ubuntu Mantic):
importance: Undecided → High
Changed in plasma-workspace (Ubuntu Noble):
importance: Undecided → High
Changed in plasma-workspace (Ubuntu):
assignee: nobody → Scarlett Gately Moore (scarlettmoore)
Changed in plasma-workspace (Ubuntu Focal):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in plasma-workspace (Ubuntu Jammy):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in plasma-workspace (Ubuntu Mantic):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in plasma-workspace (Ubuntu Noble):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in plasma-workspace (Ubuntu Focal):
status: New → In Progress
Changed in plasma-workspace (Ubuntu Jammy):
status: New → In Progress
Changed in plasma-workspace (Ubuntu Mantic):
status: New → In Progress
Changed in plasma-workspace (Ubuntu Noble):
status: New → In Progress
Revision history for this message
Simon Quigley (tsimonq2) wrote :
Revision history for this message
Simon Quigley (tsimonq2) wrote :
Revision history for this message
Simon Quigley (tsimonq2) wrote :
Revision history for this message
Simon Quigley (tsimonq2) wrote :

Hi Security Sponsors!

Please see the attached debdiffs. The only one I had to modify was for Focal, simply because of code formatting.

Let me know if you have any questions (here or on IRC).

Thanks!

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiffs, packages are building now!

Revision history for this message
Simon Quigley (tsimonq2) wrote (last edit ):

Proof of concept attached for testing purposes. Thanks Aaron Rainbolt!

To compile, ensure libice-dev is installed, then `gcc ./poc-CVE-2024-36041.c -lICE`

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I have built packages in the security team proposed PPA for testing. Additional packages required no-change rebuilds in the -security pocket also. For Jammy, the additional packages are breeze, libksysguard, layer-shell-qt, kwin, kwayland-server. For Focal, the additional packages are kwin and breeze.

Please test the packages in the following PPA, and post test results here, and I'll publish them as security updates:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Thanks!

Simon Quigley (tsimonq2)
description: updated
summary: - [SRU] CVE-2024-36041 Fix ksmserver: Unauthorized users can access
- session manager
+ CVE-2024-36041: ksmserver: Unauthorized users can access session manager
Simon Quigley (tsimonq2)
description: updated
Simon Quigley (tsimonq2)
description: updated
Revision history for this message
Simon Quigley (tsimonq2) wrote :

Modified the test plan in the bug description to cover all our bases. Here are my results:
 - Successful on Noble with plasma-workspace 4:5.27.11-0ubuntu4.1.
 - Successful on Mantic with plasma-workspace 4:5.27.8-0ubuntu1.1.
 - Successful on Jammy with plasma-workspace 4:5.24.7-0ubuntu0.2 and the other rebuilt dependencies mentioned.
 - Successful on Focal with plasma-workspace 4:5.18.8-0ubuntu0.2 and the other rebuilt dependencies.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package plasma-workspace - 4:5.27.11-0ubuntu4.1

---------------
plasma-workspace (4:5.27.11-0ubuntu4.1) noble-security; urgency=medium

  * SECURITY UPDATE: ksmserver: Unauthorized users can access session manager
    (LP: #2067742)
    - debian/patches/CVE-2024-36041.patch: do not allow local connections
      without proper authentication.
    - CVE-2024-36041

 -- Simon Quigley <email address hidden> Mon, 17 Jun 2024 17:08:17 -0500

Changed in plasma-workspace (Ubuntu Noble):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package plasma-workspace - 4:5.18.8-0ubuntu0.2

---------------
plasma-workspace (4:5.18.8-0ubuntu0.2) focal-security; urgency=medium

  * SECURITY UPDATE: ksmserver: Unauthorized users can access session manager
    (LP: #2067742)
    - debian/patches/CVE-2024-36041.patch: do not allow local connections
      without proper authentication.
    - CVE-2024-36041

 -- Simon Quigley <email address hidden> Mon, 17 Jun 2024 17:30:31 -0500

Changed in plasma-workspace (Ubuntu Focal):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package plasma-workspace - 4:5.27.8-0ubuntu1.1

---------------
plasma-workspace (4:5.27.8-0ubuntu1.1) mantic-security; urgency=medium

  * SECURITY UPDATE: ksmserver: Unauthorized users can access session manager
    (LP: #2067742)
    - debian/patches/CVE-2024-36041.patch: do not allow local connections
      without proper authentication.
    - CVE-2024-36041

 -- Simon Quigley <email address hidden> Mon, 17 Jun 2024 17:17:21 -0500

Changed in plasma-workspace (Ubuntu Mantic):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package plasma-workspace - 4:5.24.7-0ubuntu0.2

---------------
plasma-workspace (4:5.24.7-0ubuntu0.2) jammy-security; urgency=medium

  * SECURITY UPDATE: ksmserver: Unauthorized users can access session manager
    (LP: #2067742)
    - debian/patches/CVE-2024-36041.patch: do not allow local connections
      without proper authentication.
    - CVE-2024-36041

 -- Simon Quigley <email address hidden> Mon, 17 Jun 2024 17:23:28 -0500

Changed in plasma-workspace (Ubuntu Jammy):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.