Bug 1855191 (CVE-2020-4044) - CVE-2020-4044 xrdp: buffer overflow via malicious payloads
Summary: CVE-2020-4044 xrdp: buffer overflow via malicious payloads
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2020-4044
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1855192
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-07-09 08:01 UTC by Dhananjay Arunesh
Modified: 2020-07-10 12:12 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-07-10 12:12:14 UTC


Attachments (Terms of Use)

Description Dhananjay Arunesh 2020-07-09 08:01:41 UTC
The xrdp-sesman service before version 0.9.13.1 can be crashed by connecting over port 3350 and supplying a malicious payload. Once the xrdp-sesman process is dead, an unprivileged attacker on the server could then proceed to start their own imposter sesman service listening on port 3350. This will allow them to capture any user credentials that are submitted to XRDP and approve or reject arbitrary login credentials. For xorgxrdp sessions in particular, this allows an unauthorized user to hijack an existing session. This is a buffer overflow attack, so there may be a risk of arbitrary code execution as well.

References:
https://github.com/neutrinolabs/xrdp/commit/0c791d073d0eb344ee7aaafd221513dc9226762c
https://github.com/neutrinolabs/xrdp/releases/tag/v0.9.13.1
https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-j9fv-6fwf-p3g4

Comment 1 Dhananjay Arunesh 2020-07-09 08:02:11 UTC
Created xrdp tracking bugs for this issue:

Affects: epel-6 [bug 1855192]

Comment 2 Bojan Smojver 2020-07-10 12:12:14 UTC
This package is no longer maintained in EPEL 6. Please use EPEL 7 or better.


Note You need to log in before you can comment on or make changes to this bug.