Fedora 24 : 1:xrdp (2017-05e32fe278)

critical Nessus Plugin ID 97500

Language:

Synopsis

The remote Fedora host is missing a security update.

Description

WARNING: Please note that this update comes with a slightly different syntax of sesman.ini file, so if you edited this file by hand, you may need to look at the .rpmnew file and merge any required changes by hand.

This release also creates three files in /etc/xrdp directory if they don't already exist or are empty :

- rsakeys.ini

- cert.pem

- key.pem

Also note that in Fedora, the only backend that will really work is still Xvnc for now.

New features

- New xorgxrdp backend using existing Xorg with additional modules

- Improvements to X11rdp backend

- Support for IPv6 (disabled by default)

- Initial support for RemoteFX Codec (disabled by default)

- Support for TLS security layer (preferred over RDP layer if supported by the client)

- Support for disabling deprecated SSLv3 protocol and for selecting custom cipher suites in xrdp.ini

- Support for bidirectional fastpath (enabled in both directions by default)

- Support clients that don't support drawing orders, such as MS RDP client for Android, ChromeRDP (disabled by default)

- More configurable login screen

- Support for new virtual channels :

- rdpdr: device redirection

- rdpsnd: audio output

- cliprdr: clipboard

- xrdpvr: xrdp video redirection channel (can be used along with NeutrinoRDP client)

- Support for disabling virtual channels globally or by session type

- Allow to specify the path for backends (Xorg, X11rdp, Xvnc)

- Added files for systemd support

- Multi-monitor support

- xrdp-chansrv stroes logs in ${XDG_DATA_HOME}/xrdp now

Security fixes

- User's password could be recovered from the Xvnc password file

- X11 authentication was not used

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected 1:xrdp package.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2017-05e32fe278

Plugin Details

Severity: Critical

ID: 97500

File Name: fedora_2017-05e32fe278.nasl

Version: 3.4

Type: local

Agent: unix

Published: 3/3/2017

Updated: 1/11/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:1:xrdp, cpe:/o:fedoraproject:fedora:24

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Patch Publication Date: 3/2/2017

Vulnerability Publication Date: 12/16/2016

Reference Information

CVE: CVE-2013-1430