__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN SMB Password Disclosure [KDE Security Advisory: plain text password exposure] December 10, 2004 18:00 GMT Number P-051 ______________________________________________________________________________ PROBLEM: KDE, a UNIX desktop environment, contains a vulnerability in various applications. When creating a link to a remote file from various applications including Konqueror, the resulting URL may contain the authentication credentials used to access that remote resource. PLATFORM: All KDE 3.2.x releases, KDE 3.3.0, KDE 3.3.1 and KDE 3.3.2. DAMAGE: A user may unknowingly disclose passwords for SMB shares as part of a URL. SOLUTION: Install the security patch. ______________________________________________________________________________ VULNERABILITY The risk is MEDUM. A remote attacker may gain unauthorized ASSESSMENT: access to the system. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-051.shtml ORIGINAL BULLETIN: http://www.kde.org/info/security/advisory-20041209-1.txt ADDITIONAL LINK: http://securitytracker.com/alerts/2004/Dec/1012471.html CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1171 ______________________________________________________________________________ [***** Start KDE Security Advisory: plain text password exposure *****] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 KDE Security Advisory: plain text password exposure Original Release Date: 2004-12-09 URL: http://www.kde.org/info/security/advisory-20041209-1.txt 0. References http://www.sec-consult.com/index.php?id=118 1. Systems affected: All KDE 3.2.x releases, KDE 3.3.0, KDE 3.3.1 and KDE 3.3.2. 2. Overview: Daniel Fabian notified the KDE security team about a possible privacy issue in KDE. When creating a link to a remote file from various applications including Konqueror, the resulting URL may contain the authentication credentials used to access that remote resource. This includes, but is not limited to browsing SMB ("Samba") shares. Further investigation revealed unnecessary exposure of authentication credentials by the SMB ("Samba") protocol handler. The link reference file, which is a file with the extension ".desktop", is a plain text configuration file that is created with default access permissions, depending on the users' umask this could include world read permission. Usually the URL saved in this .desktop file only contains the password if the user manually entered it this way. The SMB protocol handler however unnecessarily exposes authentication credentials by always including this information in the URL that it generates. The KDE team provides patches which will unconditionally remove the password from the authentication credentials before creating the link reference file and that fix the SMB protocol handler to not unnecessarily include passwords in URLs Authentication credentials can then be stored in KWallet instead. 3. Impact: A user may inadvertly expose passwords provided for SMB shares or other passwords that were entered as part of an URL. 4. Solution: Users should verify that links to remote files do not contain password information by right-clicking the link and selecting the "Properties" option and then selecting the "URL" tab. The KDE 3.3.2 release contains most fixes already, therefore the patch set to apply to KDE 3.3.2 is less than for other KDE versions. Source code patches have been made available which fix these vulnerabilities. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages. 5. Patch: Patches for KDE 3.3.1 are available from ftp://ftp.kde.org/pub/kde/security_patches : 501852d12f82aebe7eb73ec5d96c9e6d post-3.3.1-kdebase-smb.diff 5b9c1738f2de3f00533e376eb64c7137 post-3.3.1-kdelibs-khtml.diff f287c900c637af2452c7a554f2df166f post-3.3.1-kdelibs-kio.diff Patch for KDE 3.3.2 is available from ftp://ftp.kde.org/pub/kde/security_patches : d3658e90acec6ff140463ed2fd0e7736 post-3.3.2-kdelibs-kio.diff Patches for KDE 3.2.3 are available from ftp://ftp.kde.org/pub/kde/security_patches : d080d9acf4d2abc5f91ccec8fc463568 post-3.2.3-kdebase-smb.diff d79d1717b4bc0b3891bacaaf37deade0 post-3.2.3-kdelibs-khtml.diff 94e76ec98cd58ce27cad8f886d241986 post-3.2.3-kdelibs-kio.diff -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBt618vsXr+iuy1UoRArYpAJ9WwYla1w0zwLZ5h5aC+loKcsYl2wCcCx0y VXT0cntKNdpheNgZcKGYnug= =bTjQ -----END PGP SIGNATURE----- [***** End KDE Security Advisory: plain text password exposure *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of KDE for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-041: F-Secure Zip Archive Bypasses Scanning P-042: Sudo Missing Input Santising P-043: "cyrus-imapd" Buffer Overflow P-044: Samba - Arbitrary File Access Vulnerability P-045: Sun Security Vulnerability in Ping(1M)P-046: Microsoft Cumulative Security Update for Internet Explorer (889293) P-046: Microsoft Cumulative Security Update for Internet Explorer P-047: Red Hat Updated Kernel Packages P-048: HP Ignite-UX Vulnerability P-049: Apple Security Update 2004-12-02 P-050: "in.rwhod" Daemon Vulnerability