CVE-2020-4044

NameCVE-2020-4044
DescriptionThe xrdp-sesman service before version 0.9.13.1 can be crashed by connecting over port 3350 and supplying a malicious payload. Once the xrdp-sesman process is dead, an unprivileged attacker on the server could then proceed to start their own imposter sesman service listening on port 3350. This will allow them to capture any user credentials that are submitted to XRDP and approve or reject arbitrary login credentials. For xorgxrdp sessions in particular, this allows an unauthorized user to hijack an existing session. This is a buffer overflow attack, so there may be a risk of arbitrary code execution as well.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2319-1, DSA-4737-1
Debian Bugs964573

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xrdp (PTS)buster0.9.9-1+deb10u1fixed
buster (security)0.9.9-1+deb10u3fixed
bullseye (security), bullseye0.9.21.1-1~deb11u1fixed
bookworm0.9.21.1-1fixed
trixie0.9.24-3fixed
sid0.9.24-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
xrdpsourcestretch0.9.1-9+deb9u4DLA-2319-1
xrdpsourcebuster0.9.9-1+deb10u1DSA-4737-1
xrdpsource(unstable)0.9.12-1.1964573

Notes

https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-j9fv-6fwf-p3g4
Fixed by: https://github.com/neutrinolabs/xrdp/commit/e593f58a82bf79b556601ae08e9e25e366a662fb
Search for package or bug name: Reporting problems