CVE-2020-4044

Name
CVE-2020-4044
Description
The xrdp-sesman service before version 0.9.13.1 can be crashed by connecting over port 3350 and supplying a malicious payload. Once the xrdp-sesman process is dead, an unprivileged attacker on the server could then proceed to start their own imposter sesman service listening on port 3350. This will allow them to capture any user credentials that are submitted to XRDP and approve or reject arbitrary login credentials. For xorgxrdp sessions in particular, this allows an unauthorized user to hijack an existing session. This is a buffer overflow attack, so there may be a risk of arbitrary code execution as well.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Release Notes https://github.com/neutrinolabs/xrdp/releases/tag/v0.9.13.1
Third Party Advisory https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-j9fv-6fwf-p3g4
Patch https://github.com/neutrinolabs/xrdp/commit/0c791d073d0eb344ee7aaafd221513dc9226762c
SUSE http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00036.html
DEBIAN https://www.debian.org/security/2020/dsa-4737
MLIST https://lists.debian.org/debian-lts-announce/2020/08/msg00015.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00037.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:neutrinolabs:xrdp:*:*:*:*:*:*:*:* xrdp >= None < 0.9.13.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
xrdp 3.10-main 0.9.9-r0 Alan Lacerda <alacerda@alpinelinux.org> possibly vulnerable
xrdp 3.11-main 0.9.11-r1 Alan Lacerda <alacerda@alpinelinux.org> possibly vulnerable