| Package | xrdp |
|---|---|
| Version | 0.9.9-1+deb10u4 (buster) |
| Related CVEs | CVE-2024-39917 CVE-2023-42822 CVE-2023-40184 |
Three issues found in xrdp are addressed in this update. xrdp is an open source remote desktop protocol (RDP) server.
xrdp had a vulnerability that allows attackers to make an infinite number of
login attempts. The number of max login attempts is supposed to be limited by a
configuration parameter MaxLoginRetry in /etc/xrdp/sesman.ini. However,
this mechanism was not effectively working. As a result, xrdp allows an
infinite number of login attempts.
Access to the font glyphs in xrdp_painter.c is not bounds-checked. Since some of this data is controllable by the user, this can result in an out-of-bounds read within the xrdp executable. The vulnerability allows an out-of-bounds read within a potentially privileged process. On non-Debian platforms, xrdp tends to run as root. Potentially an out-of-bounds write can follow the out-of-bounds read. There is no denial-of-service impact, providing xrdp is running in forking mode.
Improper handling of session establishment errors allows bypassing OS-level
session restrictions. The auth_start_session function can return non-zero (1)
value on, e.g., PAM error which may result in in session restrictions such as
max concurrent sessions per user by PAM (ex ./etc/security/limits.conf) to be
bypassed. Users (administrators) don’t use restrictions by PAM are not
affected.
For Debian 10 buster, these problems have been fixed in version 0.9.9-1+deb10u4.
We recommend that you upgrade your xrdp packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.