Now publicly posted on KDE announce mailing list, so changing this bug to public
https://mail.kde.org/pipermail/kde-announce/2025-November/000476.html ** Summary changed: - Device spoofing vulnerability in kdeconnect protocol + Impersonation of paired devices, bypassing authentication ** Information type changed from Private Security to Public Security ** Description changed: - KDE developers appraised KDE packagers of a critical vulnerability in - the kdeconnect protocol. - Version: 25.08.1-0ubuntu2 Release: Questing A CVE ID has been reserved https://www.cve.org/CVERecord?id=CVE-2025-66270 https://kde.org/info/security/advisory-20251128-1.txt **** Advisory text **** KDE Project Security Advisory ============================= Title: KDE Connect: Impersonation of paired devices, bypassing authentication Risk rating: Critical CVE: CVE-2025-66270 Versions: - - KDE Connect desktop >= 25.04 and < 25.12 - - KDE Connect iOS >= v0.5.2 and < 0.5.4 - - KDE Connect Android >= v1.33.0 and < 1.34.4 - - GSConnect >= 59 and < 68 - - Valent >= v1.0.0.alpha.47 and < v1.0.0.alpha.49 + - KDE Connect desktop >= 25.04 and < 25.12 + - KDE Connect iOS >= v0.5.2 and < 0.5.4 + - KDE Connect Android >= v1.33.0 and < 1.34.4 + - GSConnect >= 59 and < 68 + - Valent >= v1.0.0.alpha.47 and < v1.0.0.alpha.49 Date: 28/11/2025 Overview ======== Versions of KDE Connect released after March 2025 implement version 8 of the KDE Connect protocol. In this version, the discovery of other devices with KDE Connect on your network involves an additional packet exchange between the two devices. While the first packet is used to determine if a device is paired or not, this additional packet is used to identify the device that is connecting. The vulnerable implementations of KDE Connect were not checking that the device ID in the first packet and the device ID in the second packet were the same. This could be abused by first sending a device ID of an unpaired device which doesn't require authentication, followed by sending the device ID of a paired device in order to impersonate it. Impact ====== An attacker, by knowing the ID of a previously paired device, could impersonate it and connect with the privileges of that device, skipping the authentication. Workaround ========== Until you can upgrade to a non-vulnerable version, we advise you to stop KDE Connect when on untrusted networks like those on airports or conferences and/or unpair all devices from KDE Connect. Solution ======== Update KDE Connect on all your devices to a non-vulnerable version. If a non-vulnerable version isn't yet available in your distribution channels, you can apply one of the following patches, depending on the KDE Connect implementation you use: - KDE Connect desktop: https://invent.kde.org/network/kdeconnect-kde/-/commit/4e53bcdd5d4c28bd9fefd114b807ce35d7b3373e - KDE Connect Anddroid: https://invent.kde.org/network/kdeconnect-android/-/commit/675d2d24a1eb95d15d9e5bde2b7e2271d5ada6a9 - KDE Connect iOS: https://invent.kde.org/network/kdeconnect-ios/-/commit/6c003c22d04270cabc4b262d399c753d55cf9080 - GSConnect: https://github.com/GSConnect/gnome-shell-extension-gsconnect/commit/a38246deec0af50ae218cdc51db32cdd7eb145e3 - Valent: https://github.com/andyholmes/valent/commit/85f773124a67ed1add79e7465bb088ec667cccce Credits ======= Thanks to Florian Bauckholt for reporting this issue. This is a coordinated advisory between KDE Connect, GSConnect and Valent **** end of advisory text **** Developers do not have an easy test case, but very strongly advise that security/updates with the following patch are applied: https://invent.kde.org/network/kdeconnect- kde/-/commit/1d757349d0f517ef12c119565ffb1f79503fbcdf The kdeconnect package in resolute has the patch applied. Given the upstream assessment of vulnerable versions it appears that only questing will need an update in a stable series for kdeconnect. Regarding the gnome-shell-extension-gsconnect in Ubuntu universe, the fix has already been applied in the new version 71 release in resolute, but requires an update in questing and plucky. I would be grateful if it can be advised to track this by adding the gnome extension as affected in this bug, or whether a separate bug is more appropriate. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2132107 Title: Impersonation of paired devices, bypassing authentication To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeconnect/+bug/2132107/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
