Fedora 36 : xrdp (2022-08d2138578)

critical Nessus Plugin ID 169266

Language:

Synopsis

The remote Fedora host is missing one or more security updates.

Description

The remote Fedora 36 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2022-08d2138578 advisory.

Release notes for xrdp v0.9.21 (2022/12/10)

General announcements

- Running xrdp and xrdp-sesman on separate hosts is still supported by this release, but is now deprecated. This is not secure. A future v1.0 release will replace the TCP socket used between these processes with a Unix Domain Socket, and then cross-host running will not be possible.

Security fixes

This update is recommended for all xrdp users and provides following important security fixes:

- CVE-2022-23468
- CVE-2022-23477
- CVE-2022-23478
- CVE-2022-23479
- CVE-2022-23480
- CVE-2022-23481
- CVE-2022-23483
- CVE-2022-23482
- CVE-2022-23484
- CVE-2022-23493

These security issues are reported by Team BT5 (BoB 11th). We appreciate their great help with making and reviewing patches.
New features

- openSuSE Tumbleweed move to /usr/lib/pam.d is now supported in the installation scripts (#2413)
- VNC backend session now supports extra mouse buttons 6, 7 and 8 (#2426)

Bug fixes

- Passwords are no longer left on the heap in sesman (#1599 #2439)
- Set permissions on pcsc socket dir to owner only (#2454 #2460)

Internal changes

- CI updates to cope with github upgrades (#2395)

Changes for packagers or developers

Nothing this time.

Known issues

- On-the-fly resolution change requires the Microsoft Store version of Remote Desktop client but sometimes crashes on connect (#1869)
- xrdp's login dialog is not relocated at the center of the new resolution after on-the-fly resolution change happens (#1867)


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected 1:xrdp package.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2022-08d2138578

Plugin Details

Severity: Critical

ID: 169266

File Name: fedora_2022-08d2138578.nasl

Version: 1.1

Type: local

Agent: unix

Published: 12/23/2022

Updated: 11/14/2024

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-23484

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:xrdp, cpe:/o:fedoraproject:fedora:36

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 12/10/2022

Vulnerability Publication Date: 12/9/2022

Reference Information

CVE: CVE-2022-23468, CVE-2022-23477, CVE-2022-23478, CVE-2022-23479, CVE-2022-23480, CVE-2022-23481, CVE-2022-23482, CVE-2022-23483, CVE-2022-23484, CVE-2022-23493