Critical Denial of Service bugs in Discover

Fabian Vogt fabian at ritter-vogt.de
Sun Feb 6 00:07:21 GMT 2022


Hi,

Am Samstag, 5. Februar 2022, 22:16:28 CET schrieb Ben Cooksley:
> Hi all,
> 
> Over the past week or so Sysadmin has been dealing with an extremely high
> volume of traffic directed towards both download.kde.org and
> distribute.kde.org.
> 
> This traffic volume is curious in so far that it is directed at two paths
> specifically:
> - distribute.kde.org/khotnewstuff/fonts-providers.xml
> - download.kde.org/ocs/providers.xml
> 
> The first path is an "internal only" host which we were redirecting a
> legacy path to prior to the resource being relocated to cdn.kde.org. The
> second path has been legacy for numerous years now (more than 5) and is
> replaced by autoconfig.kde.org.
> It is of extreme concern that these paths are still in use - especially the
> ocs/providers.xml one.
> 
>...
> 
> This indicates that the bug lies solely within Plasma's Discover component
> - more precisely it's updater.
> 
> Examining the origin of these requests has indicated that some clients are
> making requests to these paths well in excess of several times a minute
> with a number of IP addresses appearing more 60 times in a 1 minute sized
> sample window.

FWICT, this is caused by plasma-discover-update, which is triggered by the
DiscoverNotifier service if automatic updates are enabled in kcm_updates,
updates are available and the system idle for >=15min.

// If the system is untouched for 1 hour, trigger the unattened update
using namespace std::chrono_literals;
KIdleTime::instance()->addIdleTimeout(int(std::chrono::milliseconds(15min).count()));

(I wonder whether there's a bug about calling addIdleTimeout more than once.
It will then invoke triggerUpdate multiple times after 15min of idle.)

The Discover KNS backend creates instances for all available knsrc files,
which on construction call KNSReviews::setProviderUrl with the URL defined in
those files, triggering the requests.

The first URL is used by kfontinst.knsrc from plasma-workspace:
ProvidersUrl=https://distribute.kde.org/khotnewstuff/fonts-providers.xml

The second URL is used by multiple knsrc files in my VM:
aurorae.knsrc:ProvidersUrl=https://download.kde.org/ocs/providers.xml
comic.knsrc:ProvidersUrl=https://download.kde.org/ocs/providers.xml
kwineffect.knsrc:ProvidersUrl=https://download.kde.org/ocs/providers.xml
kwinscripts.knsrc:ProvidersUrl=https://download.kde.org/ocs/providers.xml
kwinswitcher.knsrc:ProvidersUrl=https://download.kde.org/ocs/providers.xml
wallpaperplugin.knsrc:ProvidersUrl=https://download.kde.org/ocs/providers.xml

> Given that Sysadmin has raised issues with this component and it's
> behaviour in the past, it appears that issues regarding the behaviour of
> the OCS componentry within Discover remain unresolved.
> 
> Due to the level of distress this is causing our systems, I am therefore
> left with no other option other than to direct the Plasma Discover
> developers to create and release without delay patches for all versions in
> support, as well as for all those currently present in any actively
> maintained distributions, that disable all OCS functionality in the
> Discover updater. Distributions are requested to treat these patches as
> security patches and to distribute them to users without delay.

Emergency workarounds for distributions might be to either not ship the KNS
backend by not building kns-backend.so or deleting it afterwards, or disabling
the discover notifier (/etc/xdg/autostart/org.kde.discover.notifier.desktop)
completely.

Cheers,
Fabian




More information about the Distributions mailing list