CVE-2024-36041: KDE Plasma Flaw Opens Door to Unauthorized System Access

The KDE development team has issued a critical security advisory warning users of a high-severity vulnerability (CVE-2024-36041) affecting the KSmserver component in the Plasma desktop environment. This flaw could allow unauthorized users on the same machine to gain access to the session manager, potentially enabling them to execute arbitrary code upon the next boot.

Image: KDE

Technical Breakdown of the Vulnerability

The vulnerability lies in the way KSmserver, KDE’s XSMP manager, handles connections via ICE. It incorrectly permits connections based solely on the host, granting access to all local connections. This loophole could be exploited by a malicious user on the same system to hijack the session manager and run unauthorized code when the victim user logs back in.

The KDE development team extends their gratitude to Fabian Vogt for identifying the vulnerability and contributing to the development of the patches.

Affected Versions and Mitigation

Users of Plasma 6 and Plasma 5 are both vulnerable to this flaw. To address the CVE-2024-36041 flaw, KDE has released updates and patches for both versions:

• Plasma 6: Update to plasma-workspace version 6.0.5.1 or apply the provided patches [1, 2].
• Plasma 5: Update to plasma-workspace version 5.27.11.1 or apply the provided patches [1, 2].

Additionally, ensure that the “iceauth” binary is installed to enforce proper authorization.

Prioritize Your Security – Update Now

KDE urges all users to update their Plasma installations immediately to protect themselves from potential attacks. This vulnerability is considered high severity, as it could lead to a complete compromise of a user’s system.