CVE-2020-4044

NameCVE-2020-4044
DescriptionThe xrdp-sesman service before version 0.9.13.1 can be crashed by connecting over port 3350 and supplying a malicious payload. Once the xrdp-sesman process is dead, an unprivileged attacker on the server could then proceed to start their own imposter sesman service listening on port 3350. This will allow them to capture any user credentials that are submitted to XRDP and approve or reject arbitrary login credentials. For xorgxrdp sessions in particular, this allows an unauthorized user to hijack an existing session. This is a buffer overflow attack, so there may be a risk of arbitrary code execution as well.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2319-1, DSA-4737-1
NVD severitymedium
Debian Bugs964573

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xrdp (PTS)stretch0.9.1-9+deb9u3vulnerable
stretch (security)0.9.1-9+deb9u4fixed
buster0.9.9-1vulnerable
buster (security)0.9.9-1+deb10u1fixed
bullseye, sid0.9.12-1.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
xrdpsourcestretch0.9.1-9+deb9u4DLA-2319-1
xrdpsourcebuster0.9.9-1+deb10u1DSA-4737-1
xrdpsource(unstable)0.9.12-1.1964573

Notes

https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-j9fv-6fwf-p3g4
Fixed by: https://github.com/neutrinolabs/xrdp/commit/e593f58a82bf79b556601ae08e9e25e366a662fb

Search for package or bug name: Reporting problems