Bug 26931

Summary: xrdp new security issue CVE-2020-4044
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: brtians1, geiger.david68210, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: xrdp-0.9.10-1.mga7.src.rpm CVE: CVE-2020-4044
Status comment:

Description David Walser 2020-07-10 20:46:22 CEST 
Fedora has issued an advisory on July 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7FYD6USHZXDI2EAZVGOVFMAE7ILP3SPL/

The issue is fixed upstream in 0.9.13.1:
https://github.com/neutrinolabs/xrdp/releases/tag/v0.9.13.1

The upstream advisory and commit that fixed the issue is linked from the CVE page:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4044
Comment 1 Lewis Smith 2020-07-16 21:32:30 CEST 
Assigning to DavidG as the recent maintainer of this SRPM.

Assignee: bugsquad => geiger.david68210

Comment 2 David Walser 2020-08-04 23:48:56 CEST 
Debian has issued an advisory for this on July 29:
https://www.debian.org/security/2020/dsa-4737
David Walser 2020-12-28 18:39:33 CET

Status comment: (none) => Patch available from upstream and Debian

Comment 3 David GEIGER 2021-01-06 08:22:52 CET 
Done for mga7!
Comment 4 David Walser 2021-01-06 16:03:25 CET 
Advisory:
========================

Updated xrdp packages fix security vulnerability:

Ashley Newson discovered that the XRDP sessions manager was susceptible to
denial of service. A local attacker can further take advantage of this flaw to
impersonate the XRDP sessions manager and capture any user credentials that are
submitted to XRDP, approve or reject arbitrary login credentials or to hijack
existing sessions for xorgxrdp sessions (CVE-2020-4044).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4044
https://www.debian.org/security/2020/dsa-4737
========================

Updated packages in core/updates_testing:
========================
xrdp-0.9.10-1.1.mga7
xrdp-devel-0.9.10-1.1.mga7

from xrdp-0.9.10-1.1.mga7.src.rpm

Assignee: geiger.david68210 => qa-bugs
CC: (none) => geiger.david68210
Status comment: Patch available from upstream and Debian => (none)

David Walser 2021-01-06 16:03:35 CET

Severity: normal => major

Comment 5 Brian Rockwell 2021-01-10 02:13:30 CET 
$ uname -r
5.7.19-desktop-3.mga7


The following 4 packages are going to be installed:

- tigervnc-server-1.10.1-1.2.mga7.x86_64
- vnc-server-common-1.0-8.mga7.noarch
- xrdp-0.9.10-1.1.mga7.x86_64
- xrdp-devel-0.9.10-1.1.mga7.x86_64

---

set up xrdp services under services

---

able to connect using remote desktop.  chose xvnc for renderer of gnome, it works fine.  

# ps -ef | grep rdp
root      2968     1  0 18:22 ?        00:00:00 /usr/sbin/xrdp-sesman --nodaemon
root      2969     1  0 18:22 ?        00:00:00 /usr/sbin/xrdp --nodaemon
root      5563  2969  2 19:04 ?        00:00:09 /usr/sbin/xrdp --nodaemon
root      5568  2968  0 19:05 ?        00:00:00 /usr/sbin/xrdp-sesman --nodaemon
brian     5583  5568  0 19:05 ?        00:00:00 /usr/sbin/xrdp-chansrv

Whiteboard: (none) => MGA7-64-OK
CC: (none) => brtians1

Comment 6 Aurelien Oudelet 2021-01-10 18:01:07 CET 
Validating,
Advisory pushed to SVN.

Keywords: (none) => advisory, validated_update
CVE: (none) => CVE-2020-4044
CC: (none) => ouaurelien, sysadmin-bugs

Comment 7 Mageia Robot 2021-01-10 20:47:41 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0016.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED