KDE Project Security Advisory: KDE Connect: packet manipulation can be exploited in a Denial of Service attack
Albert Astals Cid
aacid at kde.org
Fri Oct 2 12:02:26 BST 2020
KDE Project Security Advisory
Title: KDE Connect: packet manipulation can be exploited in a Denial of Service attack
Risk Rating: Important
Versions: kdeconnect <= 20.08.1
Author: Albert Vaca Cintora <albertvaka at gmail.com>
Date: 2 October 2020
An attacker on your local network could send maliciously crafted packets to other hosts running
kdeconnect on the network, causing them to use large amounts of CPU, memory or network
connections, which could be used in a Denial of Service attack within the network.
Computers that run kdeconnect are susceptible to DoS attacks from the local network.
We advise you to stop KDE Connect when on untrusted networks like those on airports or conferences.
Since kdeconnect is dbus activated it is relatively hard to make sure it stays stopped so the brute
force approach is to uninstall the kdeconnect package from your system and then run
Just install the package again once you're back in a trusted network.
KDE Connect 20.08.2 patches several code paths that could result in a DoS.
You can apply these patches on top of 20.08.1:
Thanks Matthias Gerstner and the openSUSE security team for reporting the issue.
Thanks to Aleix Pol, Nicolas Fella and Albert Vaca Cintora for the patches.
More information about the kde-announce