Bug 32276 - xrdp new security issue CVE-2023-40184
Summary: xrdp new security issue CVE-2023-40184
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8TOO MGA8-64-OK MGA9-64-OK
Keywords: validated_update
Depends on:
Reported: 2023-09-11 16:14 CEST by Nicolas Salguero
Modified: 2023-09-26 02:42 CEST (History)
6 users (show)

See Also:
Source RPM: xrdp-0.9.21-1.mga9.src.rpm
Status comment:


Description Nicolas Salguero 2023-09-11 16:14:06 CEST
Fedora has issued an advisory today (September 11):

Mageia 8 and 9 are also affected.
Nicolas Salguero 2023-09-11 16:14:20 CEST

Whiteboard: (none) => MGA9TOO, MGA8TOO
Source RPM: (none) => xrdp-0.9.21-1.mga9.src.rpm
CC: (none) => nicolas.salguero

Comment 1 Lewis Smith 2023-09-12 20:57:37 CEST
The Fedora announcement indicates that the CVE is fixed by v0.9.23.

This pkg has no one maintainer, so assigning this update globally.

Assignee: bugsquad => pkg-bugs
Status comment: (none) => Looks to be fixed by xrdp v0.9.23

Comment 2 Nicolas Salguero 2023-09-14 14:03:56 CEST
Suggested advisory:

The updated packages fix a security vulnerability:

In versions prior to 0.9.23 improper handling of session establishment errors allows bypassing OS-level session restrictions. The `auth_start_session` function can return non-zero (1) value on, e.g., PAM error which may result in in session restrictions such as max concurrent sessions per user by PAM (ex ./etc/security/limits.conf) to be bypassed. (CVE-2023-40184)


Updated packages in {8|9}/core/updates_testing:

from SRPM:

Version: Cauldron => 9
Status comment: Looks to be fixed by xrdp v0.9.23 => (none)
Assignee: pkg-bugs => nicolas.salguero
Whiteboard: MGA9TOO, MGA8TOO => MGA8TOO

Nicolas Salguero 2023-09-18 09:22:40 CEST

Assignee: nicolas.salguero => qa-bugs

Comment 3 Herman Viaene 2023-09-19 16:20:35 CEST
MGA8-64 Xfce on Acer Aspire 5253
No installation issues
Ref bug 31309 Comment 8 for testing:
On this laptop:
# systemctl start xrdp
# systemctl start xrdp-sesman.service
# systemctl status xrdp
● xrdp.service - xrdp daemon
     Loaded: loaded (/usr/lib/systemd/system/xrdp.service; disabled; vendor preset: disabled)
     Active: active (running) since Tue 2023-09-19 16:06:11 CEST; 33s ago
       Docs: man:xrdp(8)
   Main PID: 19141 (xrdp)
      Tasks: 1 (limit: 4364)
     Memory: 1.0M
        CPU: 26ms
     CGroup: /system.slice/xrdp.service
             └─19141 /usr/sbin/xrdp --nodaemon

Sep 19 16:06:11 mach7.hviaene.thuis systemd[1]: Started xrdp daemon.
Sep 19 16:06:13 mach7.hviaene.thuis xrdp[19141]: [INFO ] starting xrdp with pid 19141
Sep 19 16:06:13 mach7.hviaene.thuis xrdp[19141]: [INFO ] address [] port [3389] mode 1
Sep 19 16:06:13 mach7.hviaene.thuis xrdp[19141]: [INFO ] listening to port 3389 on
Sep 19 16:06:13 mach7.hviaene.thuis xrdp[19141]: [INFO ] xrdp_listen_pp done

Then opened port tcp/3389 in MCC
On desktop PC (which already had freerdp installed) entered the command:
xfreerdp /v:mach7 /u:<userid> /p:<passwd>

Then after allowing the certificate, the desktop opened and was able to open caja and browse the files of the user on the laptop.
Looks OK to me.

CC: (none) => herman.viaene
Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK

PC LX 2023-09-20 17:53:29 CEST

CC: (none) => mageia

Comment 4 Len Lawrence 2023-09-24 20:41:49 CEST
Mageia9, x86_64

Followed Herman's lead on this.  Checked that xrdp worked OK before updating - needed to install several things.

Updated via qarepo and ran the test again.
Two desktops side-by-side, sirius and antares.  Port 3389 open at both ends.  xrdp service restarted on one side.  On antares ran
$ xfreerdp /v:sirius /u:<user> /p:<password> /f
which brought up a fullscreen Plasma session with a user terminal.  Ran a local sirius calendar application from there.  It was very responsive.  Only thing to note was that the calendar background image looked washed out.
Could not figure out how to close down and not being familiar with Plasma hit the closedown button which actually closed down the remote host - oops.
Restarted everything and closed down the remote desktop window on antares by stopping the server on sirius.  That is a warning not to use fullscreen.
Anyway, it seems to be working on mga9.

Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK
CC: (none) => tarazed25

Comment 5 Thomas Andrews 2023-09-26 02:42:10 CEST
Validating. Advisory in comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Note You need to log in before you can comment on or make changes to this bug.