The xrdp-sesman service before version 0.9.13.1 can be crashed by connecting over port 3350 and supplying a malicious payload. Once the xrdp-sesman process is dead, an unprivileged attacker on the server could then proceed to start their own imposter sesman service listening on port 3350. This will allow them to capture any user credentials that are submitted to XRDP and approve or reject arbitrary login credentials. For xorgxrdp sessions in particular, this allows an unauthorized user to hijack an existing session. This is a buffer overflow attack, so there may be a risk of arbitrary code execution as well.

The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-6469-1 advisory.

    Ashley Newson discovered that xrdp incorrectly handled memory when processing certain incoming     connections. An attacker could possibly use this issue to cause a denial of service or arbitrary code     execution.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for xrdp fixes the following issues :

  - Update to version 0.9.13.1

  + This is a security fix release that includes fixes for     the following local buffer overflow vulnerability     (bsc#1173580): CVE-2020-4044

This update was imported from the SUSE:SLE-15-SP2:Update update project.

xrdp-sesman service in xrdp can be crashed by connecting over port 3350 and supplying a malicious payload. Once the xrdp-sesman process is dead, an unprivileged attacker on the server could then proceed to start their own imposter sesman service listening on port 3350. This will allow them to capture any user credentials that are submitted to XRDP and approve or reject arbitrary login credentials. For xorgxrdp sessions in particular, this allows an unauthorized user to hijack an existing session. This is a buffer overflow attack, so there may be a risk of arbitrary code execution as well.

For Debian 9 stretch, this problem has been fixed in version 0.9.1-9+deb9u4.

We recommend that you upgrade your xrdp packages.

For the detailed security status of xrdp please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xrdp

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xrdp fixes the following issues :

Update to version 0.9.13.1

  + This is a security fix release that includes fixes for     the following local buffer overflow vulnerability     (bsc#1173580): CVE-2020-4044

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Ashley Newson discovered that the XRDP sessions manager was susceptible to denial of service. A local attacker can further take advantage of this flaw to impersonate the XRDP sessions manager and capture any user credentials that are submitted to XRDP, approve or reject arbitrary login credentials or to hijack existing sessions for xorgxrdp sessions.

This update for xrdp fixes the following issues :

Security fixes (bsc#1173580, CVE-2020-4044) :

  + Add patches :

  - xrdp-cve-2020-4044-fix-0.patch

  - xrdp-cve-2020-4044-fix-1.patch

  + Rebase SLE patch :

  - xrdp-fate318398-change-expired-password.patch

Update patch :

  + xrdp-Allow-sessions-with-32-bpp.patch.patch

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xrdp provides the following fix :

CVE-2020-4044: xrdp-sesman can be crashed remotely over port 3350 (bsc#1173580).

Fixed an issue where xrdp-sesman could not restart (bsc#1155952).

Fixed an issue where xrdp could not start due to an error in the service file use absolute path in ExecStart (bsc#1155789).

Fixed a PAM error after 2nd xrdp session after logout (bsc#1153471).

Fixed a crash in xrdp-sesman, caused by terminating and reconnecting an xrdp session (bsc#1152711).

Fixed a failure in RDP session recovery (bsc#1150584).

Fixed a process leak (bsc#1144379).

Let systemd handle the daemons, fixing daemon start failures.
(bsc#1138954, bsc#1144327)

Don't try to create .vnc directory if it already exists. (bsc#1157860)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xrdp fixes the following issues :

  - Security fixes (bsc#1173580, CVE-2020-4044) :

  + Add patches :

  - xrdp-cve-2020-4044-fix-0.patch

  - xrdp-cve-2020-4044-fix-1.patch

  + Rebase SLE patch :

  - xrdp-fate318398-change-expired-password.patch

This update was imported from the SUSE:SLE-15:Update update project.

This update for xrdp fixes the following issues :

Security fixes (bsc#1173580, CVE-2020-4044) :

  + Add patches :

  - xrdp-cve-2020-4044-fix-0.patch

  - xrdp-cve-2020-4044-fix-1.patch

  + Rebase SLE patch :

  - xrdp-fate318398-change-expired-password.patch

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This is a security fix release that includes fixes for the following local buffer overflow vulnerability.

  - CVE-2020-4044: Local users can perform a buffer overflow     attack against the xrdp-sesman service and then     impersonate it

This update is recommended for all xrdp users.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Ashley Newson reports :

The xrdp-sesman service can be crashed by connecting over port 3350 and supplying a malicious payload. Once the xrdp-sesman process is dead, an unprivileged attacker on the server could then proceed to start their own imposter sesman service listening on port 3350.

ID	Name	Product	Family	Severity
184210	Ubuntu 16.04 ESM / 18.04 ESM / 20.04 LTS : xrdp vulnerability (USN-6469-1)	Nessus	Ubuntu Local Security Checks	high
139646	openSUSE Security Update : xrdp (openSUSE-2020-1200)	Nessus	SuSE Local Security Checks	high
139430	Debian DLA-2319-1 : xrdp security update	Nessus	Debian Local Security Checks	high
139403	SUSE SLED15 / SLES15 Security Update : xrdp (SUSE-SU-2020:2142-1)	Nessus	SuSE Local Security Checks	high
139211	Debian DSA-4737-1 : xrdp - security update	Nessus	Debian Local Security Checks	high
138832	SUSE SLES12 Security Update : xrdp (SUSE-SU-2020:1991-1)	Nessus	SuSE Local Security Checks	high
138758	SUSE SLES12 Security Update : xrdp (SUSE-SU-2020:1943-1)	Nessus	SuSE Local Security Checks	high
138757	openSUSE Security Update : xrdp (openSUSE-2020-999)	Nessus	SuSE Local Security Checks	high
138550	SUSE SLED15 / SLES15 Security Update : xrdp (SUSE-SU-2020:1933-1)	Nessus	SuSE Local Security Checks	high
138547	SUSE SLES12 Security Update : xrdp (SUSE-SU-2020:1918-1)	Nessus	SuSE Local Security Checks	high
138237	Fedora 31 : 1:xrdp (2020-9c26a458ae)	Nessus	Fedora Local Security Checks	high
138236	Fedora 32 : 1:xrdp (2020-9666e4c9cd)	Nessus	Fedora Local Security Checks	high
137930	FreeBSD : xrdp -- Local users can perform a buffer overflow attack against the xrdp-sesman service and then inpersonate it (2675f0db-baa5-11ea-aa12-80ee73419af3)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2020-4044

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high