CVE-2020-4044

Published: 30 June 2020

The xrdp-sesman service before version 0.9.13.1 can be crashed by connecting over port 3350 and supplying a malicious payload. Once the xrdp-sesman process is dead, an unprivileged attacker on the server could then proceed to start their own imposter sesman service listening on port 3350. This will allow them to capture any user credentials that are submitted to XRDP and approve or reject arbitrary login credentials. For xorgxrdp sessions in particular, this allows an unauthorized user to hijack an existing session. This is a buffer overflow attack, so there may be a risk of arbitrary code execution as well.

Priority

Cvss 3 Severity Score

7.8

Score breakdown

Status

Package	Release	Status
xrdp Launchpad, Ubuntu, Debian	bionic	Released (0.9.5-2ubuntu0.1~esm1) Available with Ubuntu Pro
	eoan	Ignored (end of life)
	focal	Released (0.9.12-1ubuntu0.1)
	groovy	Not vulnerable (0.9.12-1.1)
	hirsute	Not vulnerable (0.9.12-1.1)
	impish	Not vulnerable (0.9.12-1.1)
	jammy	Not vulnerable (0.9.12-1.1)
	kinetic	Not vulnerable (0.9.12-1.1)
	lunar	Not vulnerable (0.9.12-1.1)
	mantic	Not vulnerable (0.9.12-1.1)
	trusty	Released (0.6.0-1ubuntu0.1+esm2) Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
	upstream	Released (0.9.1-9+deb9u4, 0.9.9-1+deb10u1, 0.9.12-1.1)
	xenial	Released (0.6.1-2ubuntu0.3+esm2) Available with Ubuntu Pro

Severity score breakdown

Parameter	Value
Base score	7.8
Attack vector	Local
Attack complexity	Low
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›