CVE-2023-40184
Published: 30 August 2023
xrdp is an open source remote desktop protocol (RDP) server. In versions prior to 0.9.23 improper handling of session establishment errors allows bypassing OS-level session restrictions. The `auth_start_session` function can return non-zero (1) value on, e.g., PAM error which may result in in session restrictions such as max concurrent sessions per user by PAM (ex ./etc/security/limits.conf) to be bypassed. Users (administrators) don't use restrictions by PAM are not affected. This issue has been addressed in release version 0.9.23. Users are advised to upgrade. There are no known workarounds for this issue.
Priority
Status
Package | Release | Status |
---|---|---|
xrdp Launchpad, Ubuntu, Debian |
bionic |
Released
(0.9.5-2ubuntu0.1~esm2)
Available with Ubuntu Pro |
focal |
Released
(0.9.12-1ubuntu0.1+esm1)
Available with Ubuntu Pro |
|
jammy |
Released
(0.9.17-2ubuntu2+esm1)
Available with Ubuntu Pro |
|
lunar |
Ignored
(end of life, was needs-triage)
|
|
mantic |
Needs triage
|
|
noble |
Needs triage
|
|
trusty |
Released
(0.6.0-1ubuntu0.1+esm3)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
upstream |
Released
(0.9.23)
|
|
xenial |
Released
(0.6.1-2ubuntu0.3+esm3)
Available with Ubuntu Pro |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
References
- https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-f489-557v-47jq
- https://github.com/neutrinolabs/xrdp/commit/25a1fab5b6c5ef2a8bb109232b765cb8b332ce5e
- https://github.com/neutrinolabs/xrdp/commit/a111a0fdfe2421ef600e40708b5f0168594cfb23
- https://github.com/neutrinolabs/xrdp/blame/9bbb2ec68f390504c32f2062847aa3d821a0089a/sesman/sesexec/session.c#L571C5-L571C19
- https://ubuntu.com/security/notices/USN-6474-1
- https://www.cve.org/CVERecord?id=CVE-2023-40184
- NVD
- Launchpad
- Debian