CVE-2023-40184 - xrdp Session Restriction Bypass in Versions Prior to .9.23

xrdp is an open-source remote desktop protocol (RDP) server that provides remote access to Linux and Windows systems. It was discovered that versions prior to .9.23 contained a vulnerability that allowed an attacker to bypass OS-level session restrictions such as the maximum number of concurrent sessions per user. This blog post will discuss the details of this vulnerability, provide a code snippet of the affected function, and provide links to original references for further context.

Exploit Details

The vulnerability, identified as CVE-2023-40184, exists due to improper handling of session establishment errors, particularly because the auth_start_session function can return a non-zero (1) value on a PAM error. As a result, attackers can bypass session restrictions set by the Pluggable Authentication Module (PAM) such as maximum concurrent sessions per user configured in files like /etc/security/limits.conf. Administrators who do not use restrictions set by PAM are not affected by this issue.

Here's a snippet of the affected code (prior to fixing the vulnerability)

int auth_start_session(AUTH_SESSION *session) {
  int error;

  error = pam_start("xrdp", session->username, &conv, &session->ph);
  if (error) {
    log_message(LOG_LEVEL_ERROR, "PAM: could not start PAM: %s",
                pam_strerror(session->ph, error));
    return 1;
  }
  ...
}

The vulnerability has been addressed in the release version .9.23. Users are strongly advised to update their xrdp installations to this version or later. There are no known workarounds for this issue.

Original References

Here are some links to original references to provide additional context and sources for the vulnerability:

- CVE entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40184
- xdrp GitHub Repository: https://github.com/neutrinolabs/xrdp
- Neutrinolabs/xrdp v.9.23 Release Notes: https://github.com/neutrinolabs/xrdp/releases/tag/v.9.23

Conclusion

Administrators using xrdp for remote access should be aware of the CVE-2023-40184 vulnerability affecting versions prior to .9.23. By improperly handling session establishment errors, the software could allow attackers to bypass OS-level session restrictions. To mitigate this issue, affected users are recommended to upgrade their installations to xrdp version .9.23 or later.

For any questions, concerns, or to report any issues related to this vulnerability, you can reach out to the xrdp project through their GitHub repository and submit an issue ticket.

Timeline

Published on: 08/30/2023 18:15:00 UTC
Last modified on: 09/15/2023 22:15:00 UTC