FreeBSD : kdeconnect -- packet manipulation can be exploited in a Denial of Service attack (c71ed065-0600-11eb-8758-e0d55e2a8bf9)

Medium Nessus Plugin ID 141149

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 3.6


The remote FreeBSD host is missing a security-related update.


Albert Astals Cid reports : KDE Project Security AdvisoryTitleKDE Connect: packet manipulation can be exploited in a Denial of Service attackRisk RatingImportantCVECVE-2020-26164Versionskdeconnect <= 20.08.1AuthorAlbert Vaca Cintora <[email protected]>Date2 October 2020Overview

An attacker on your local network could send maliciously crafted packets to other hosts running kdeconnect on the network, causing them to use large amounts of CPU, memory or network connections, which could be used in a Denial of Service attack within the network.


Computers that run kdeconnect are susceptible to DoS attacks from the local network.


We advise you to stop KDE Connect when on untrusted networks like those on airports or conferences.

Since kdeconnect is dbus activated it is relatively hard to make sure it stays stopped so the brute force approach is to uninstall the kdeconnect package from your system and then run

kquitapp5 kdeconnectd

Just install the package again once you're back in a trusted network.


KDE Connect 20.08.2 patches several code paths that could result in a DoS.

You can apply these patches on top of 20.08.1 :

- 55c21af87214579f03bf3a163

- c30a26086d58de0b5f1c547fa

- 715f9170f18674d476ca9acdc

- 547b6537a7f44ab44dd0aaf38

- fba30375238a2481f2e34943e

- c73973410ee1dd3624ded97a5

- b85b5404cee17946116f8a706

- 0b119c8b801efd49ed1270b0a

- 2ca5cc4ebe79c361d71d7dc05

- 29a36b7431e97bbe2b5379306


Thanks Matthias Gerstner and the openSUSE security team for reporting the issue.

Thanks to Aleix Pol, Nicolas Fella and Albert Vaca Cintora for the patches.


Update the affected package.

See Also

Plugin Details

Severity: Medium

ID: 141149

File Name: freebsd_pkg_c71ed065060011eb8758e0d55e2a8bf9.nasl

Version: 1.3

Type: local

Published: 2020/10/05

Updated: 2020/10/23

Dependencies: 12634

Risk Information

Risk Factor: Medium

VPR Score: 3.6

CVSS v2.0

Base Score: 4.9

Temporal Score: 3.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:kdeconnect-kde, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Ease: No known exploits are available

Patch Publication Date: 2020/10/04

Vulnerability Publication Date: 2020/10/02

Reference Information

CVE: CVE-2020-26164