KDE Frameworks KConfig Code Execution Vulnerability [CVE-2019-14744]

CVE number – CVE-2019-14744

A vulnerability in KDE Frameworks KConfig could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

The vulnerability exists because the libKF5ConfigCore.so code of the affected software does not properly handle .desktop and .directory files. An attacker could exploit this vulnerability by persuading a user to download a .desktop or .directory file that submits malicious input to the targeted system.

If the user opens the KDE file viewer to access the directory where these file is stored after they are downloaded, the attacker could execute arbitrary code on the system. 

Proof-of-concept (PoC) code that demonstrates an exploit of this vulnerability is publicly available. 

KDE has confirmed the vulnerability and released software updates.

Analysis

• To exploit this vulnerability, an attacker may use misleading language or instructions to persuade a user to download a .desktop and .directory file that submits malicious input to the targeted system.

Safeguards

• Administrators are advised to apply the appropriate updates.
  
  Administrators are advised to allow only trusted users to have network access.
  
  Administrators are advised to use an unprivileged account when browsing the Internet.
  
  Administrators are advised to monitor critical systems.
  
  Users are advised not to open email messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in email messages are safe, they are advised not to open them.
  
  Users are advised not to visit websites or follow links that have suspicious characteristics or cannot be verified as safe.

Vendor Announcements

• KDE has released a security advisory at the following link: CVE-2019-14744

Fixed Software

• KDE has released software updates at the following link: KConfig 5.61.0