CVE-2020-4044 : The xrdp-sesman service before version 0.9.13.1 can be crashed by connecting ove

The xrdp-sesman service before version 0.9.13.1 can be crashed by connecting over port 3350 and supplying a malicious payload. Once the xrdp-sesman process is dead, an unprivileged attacker on the server could then proceed to start their own imposter sesman service listening on port 3350. This will allow them to capture any user credentials that are submitted to XRDP and approve or reject arbitrary login credentials. For xorgxrdp sessions in particular, this allows an unauthorized user to hijack an existing session. This is a buffer overflow attack, so there may be a risk of arbitrary code execution as well.

Published 2020-06-30 16:15:16

Updated 2020-08-14 21:15:14

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Overflow

Products affected by CVE-2020-4044

Neutrinolabs » Xrdp
Versions before (<) 0.9.13.1
cpe:2.3:a:neutrinolabs:xrdp:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-4044

EPSS FAQ

0.62%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 68 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-4044

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.6	MEDIUM	AV:L/AC:L/Au:N/C:P/I:P/A:P	3.9	6.4	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2020-4044

CWE-121 Stack-based Buffer Overflow

A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

Assigned by: security-advisories@github.com (Primary)

References for CVE-2020-4044

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00036.html

[security-announce] openSUSE-SU-2020:0999-1: important: Security update
https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-j9fv-6fwf-p3g4

Local users can perform a buffer overflow attack against the xrdp-sesman service and then impersonate it · Advisory · neutrinolabs/xrdp · GitHub
Third Party Advisory
https://github.com/neutrinolabs/xrdp/commit/0c791d073d0eb344ee7aaafd221513dc9226762c

Merge pull request from GHSA-j9fv-6fwf-p3g4 · neutrinolabs/xrdp@0c791d0 · GitHub
Patch;Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00037.html

[security-announce] openSUSE-SU-2020:1200-1: important: Security update
https://www.debian.org/security/2020/dsa-4737

Debian -- Security Information -- DSA-4737-1 xrdp
https://lists.debian.org/debian-lts-announce/2020/08/msg00015.html

[SECURITY] [DLA 2319-1] xrdp security update
https://github.com/neutrinolabs/xrdp/releases/tag/v0.9.13.1

Release xrdp v0.9.13.1 · neutrinolabs/xrdp · GitHub
Release Notes;Third Party Advisory

Jump to

Vulnerability Details : CVE-2020-4044

Products affected by CVE-2020-4044

Exploit prediction scoring system (EPSS) score for CVE-2020-4044

CVSS scores for CVE-2020-4044

CWE ids for CVE-2020-4044

References for CVE-2020-4044