Bug 26931 - xrdp new security issue CVE-2020-4044
Summary: xrdp new security issue CVE-2020-4044
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-07-10 20:46 CEST by David Walser
Modified: 2021-01-10 20:47 CET (History)
4 users (show)

See Also:
Source RPM: xrdp-0.9.10-1.mga7.src.rpm
CVE: CVE-2020-4044
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-07-10 20:46:22 CEST 
Fedora has issued an advisory on July 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7FYD6USHZXDI2EAZVGOVFMAE7ILP3SPL/

The issue is fixed upstream in 0.9.13.1:
https://github.com/neutrinolabs/xrdp/releases/tag/v0.9.13.1

The upstream advisory and commit that fixed the issue is linked from the CVE page:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4044
Comment 1 Lewis Smith 2020-07-16 21:32:30 CEST 
Assigning to DavidG as the recent maintainer of this SRPM.

Assignee: bugsquad => geiger.david68210

Comment 2 David Walser 2020-08-04 23:48:56 CEST 
Debian has issued an advisory for this on July 29:
https://www.debian.org/security/2020/dsa-4737
David Walser 2020-12-28 18:39:33 CET

Status comment: (none) => Patch available from upstream and Debian

Comment 3 David GEIGER 2021-01-06 08:22:52 CET 
Done for mga7!
Comment 4 David Walser 2021-01-06 16:03:25 CET 
Advisory:
========================

Updated xrdp packages fix security vulnerability:

Ashley Newson discovered that the XRDP sessions manager was susceptible to
denial of service. A local attacker can further take advantage of this flaw to
impersonate the XRDP sessions manager and capture any user credentials that are
submitted to XRDP, approve or reject arbitrary login credentials or to hijack
existing sessions for xorgxrdp sessions (CVE-2020-4044).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4044
https://www.debian.org/security/2020/dsa-4737
========================

Updated packages in core/updates_testing:
========================
xrdp-0.9.10-1.1.mga7
xrdp-devel-0.9.10-1.1.mga7

from xrdp-0.9.10-1.1.mga7.src.rpm

Assignee: geiger.david68210 => qa-bugs
CC: (none) => geiger.david68210
Status comment: Patch available from upstream and Debian => (none)

David Walser 2021-01-06 16:03:35 CET

Severity: normal => major

Comment 5 Brian Rockwell 2021-01-10 02:13:30 CET 
$ uname -r
5.7.19-desktop-3.mga7


The following 4 packages are going to be installed:

- tigervnc-server-1.10.1-1.2.mga7.x86_64
- vnc-server-common-1.0-8.mga7.noarch
- xrdp-0.9.10-1.1.mga7.x86_64
- xrdp-devel-0.9.10-1.1.mga7.x86_64

---

set up xrdp services under services

---

able to connect using remote desktop.  chose xvnc for renderer of gnome, it works fine.  

# ps -ef | grep rdp
root      2968     1  0 18:22 ?        00:00:00 /usr/sbin/xrdp-sesman --nodaemon
root      2969     1  0 18:22 ?        00:00:00 /usr/sbin/xrdp --nodaemon
root      5563  2969  2 19:04 ?        00:00:09 /usr/sbin/xrdp --nodaemon
root      5568  2968  0 19:05 ?        00:00:00 /usr/sbin/xrdp-sesman --nodaemon
brian     5583  5568  0 19:05 ?        00:00:00 /usr/sbin/xrdp-chansrv

Whiteboard: (none) => MGA7-64-OK
CC: (none) => brtians1

Comment 6 Aurelien Oudelet 2021-01-10 18:01:07 CET 
Validating,
Advisory pushed to SVN.

Keywords: (none) => advisory, validated_update
CVE: (none) => CVE-2020-4044
CC: (none) => ouaurelien, sysadmin-bugs

Comment 7 Mageia Robot 2021-01-10 20:47:41 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0016.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.