security advisoryaccess controlremote access Several vulnerabilities were discovered in xrdp, a Remote Desktop Protocol (RDP) server . - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4166-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/lts/security/ Abhijith PA May 16, 2025 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : xrdp Version : 0.9.21.1-1~deb11u2 CVE ID : CVE-2023-40184 CVE-2023-42822 CVE-2024-39917 Several vulnerabilities were discovered in xrdp, a Remote Desktop Protocol (RDP) server CVE-2023-40184 improper handling of session establishment errors allows bypassing OS-level session restrictions. The `auth_start_session` function can return non-zero on PAM error which may result in in session restrictions such as max concurrent sessions per user by PAM. CVE-2023-42822 Access to the font glyphs in xrdp_painter.c is not bounds-checked . Since some of this data is controllable by the user, this can result in an out-of-bounds read within the xrdp executable. The vulnerability allows an out-of-bounds read within a potentially privileged process. CVE-2024-39917 a vulnerability that allows attackers to make an infinite number of login attempts. The number of max login attempts is supposed to be limited by a configuration parameter `MaxLoginRetry` in `/etc/xrdp/sesman.ini`. However, this mechanism was not effectively working. As a result, xrdp allows an infinite number of login attempts. For Debian 11 bullseye, these problems have been fixed in version 0.9.21.1-1~deb11u2. We recommend that you upgrade your xrdp packages. For the detailed security status of xrdp please refer to its security tracker page at: https://security-tracker.debian.org/tracker/source-package/xrdp Further information about Debian LTS security advisories, how to apply these updatesto your system and frequently asked questions can be found at: https://wiki.debian.org/LTS . Explore Debian LTS Advisory DLA-4166-1 detailing critical security updates for xrdp, focusing on resolved vulnerabilities for secure remote sessions and stability. Debian Security Update,xrdp vulnerabilities,Remote Desktop security,session management issues. . Severity: Critical. LinuxSecurity.com Team
May 16, 2025 •Critical Debian LTS 
Refine advisories
