CVE-2023-40184

30.08.2023, 18:15

xrdp is an open source remote desktop protocol (RDP) server. In versions prior to 0.9.23 improper handling of session establishment errors allows bypassing OS-level session restrictions. The `auth_start_session` function can return non-zero (1) value on, e.g., PAM error which may result in in session restrictions such as max concurrent sessions per user by PAM (ex ./etc/security/limits.conf) to be bypassed. Users (administrators) don't use restrictions by PAM are not affected. This issue has been addressed in release version 0.9.23. Users are advised to upgrade. There are no known workarounds for this issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	2.6 LOW	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 18%

Affected Products (NVD)

Vendor	Product	Version
neutrinolabs	xrdp	𝑥 < 0.9.23

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

xrdp

bookworm	no-dsa
bullseye	no-dsa
bullseye (security)	vulnerable
buster	no-dsa
sid	0.10.1-3 fixed
trixie	0.10.1-3 fixed

Ubuntu Releases

Ubuntu Product

Codename

xrdp

bionic	Fixed 0.9.5-2ubuntu0.1~esm2 released
focal	Fixed 0.9.12-1ubuntu0.1+esm1 released
jammy	Fixed 0.9.17-2ubuntu2+esm1 released
lunar	ignored
mantic	ignored
noble	needs-triage
oracular	not-affected
trusty	Fixed 0.6.0-1ubuntu0.1+esm3 released
xenial	Fixed 0.6.1-2ubuntu0.3+esm3 released

openSUSE / SLES Releases

openSUSE Product

Release

libpainter0

suse enterprise desktop 15 SP4	0.9.13.1-150200.4.24.1 fixed
suse enterprise desktop 15 SP5	0.9.13.1-150200.4.24.1 fixed
suse enterprise desktop 15 SP6	0.9.13.1-150600.13.3 fixed
suse enterprise desktop 15 SP7	0.9.13.1-150600.15.3.1 fixed
suse enterprise sap 15 SP4	0.9.13.1-150200.4.24.1 fixed
suse enterprise sap 15 SP5	0.9.13.1-150200.4.24.1 fixed
suse enterprise sap 15 SP6	0.9.13.1-150600.13.3 fixed
suse enterprise sap 15 SP7	0.9.13.1-150600.15.3.1 fixed
suse enterprise server 15 SP4	0.9.13.1-150200.4.24.1 fixed
suse enterprise server 15 SP5	0.9.13.1-150200.4.24.1 fixed
suse enterprise server 15 SP6	0.9.13.1-150600.13.3 fixed
suse enterprise server 15 SP7	0.9.13.1-150600.15.3.1 fixed

librfxencode0

suse enterprise desktop 15 SP4	0.9.13.1-150200.4.24.1 fixed
suse enterprise desktop 15 SP5	0.9.13.1-150200.4.24.1 fixed
suse enterprise desktop 15 SP6	0.9.13.1-150600.13.3 fixed
suse enterprise desktop 15 SP7	0.9.13.1-150600.15.3.1 fixed
suse enterprise sap 15 SP4	0.9.13.1-150200.4.24.1 fixed
suse enterprise sap 15 SP5	0.9.13.1-150200.4.24.1 fixed
suse enterprise sap 15 SP6	0.9.13.1-150600.13.3 fixed
suse enterprise sap 15 SP7	0.9.13.1-150600.15.3.1 fixed
suse enterprise server 15 SP4	0.9.13.1-150200.4.24.1 fixed
suse enterprise server 15 SP5	0.9.13.1-150200.4.24.1 fixed
suse enterprise server 15 SP6	0.9.13.1-150600.13.3 fixed
suse enterprise server 15 SP7	0.9.13.1-150600.15.3.1 fixed

xrdp

suse enterprise desktop 15 SP4	0.9.13.1-150200.4.24.1 fixed
suse enterprise desktop 15 SP5	0.9.13.1-150200.4.24.1 fixed
suse enterprise desktop 15 SP6	0.9.13.1-150600.13.3 fixed
suse enterprise desktop 15 SP7	0.9.13.1-150600.15.3.1 fixed
suse enterprise sap 15 SP4	0.9.13.1-150200.4.24.1 fixed
suse enterprise sap 15 SP5	0.9.13.1-150200.4.24.1 fixed
suse enterprise sap 15 SP6	0.9.13.1-150600.13.3 fixed
suse enterprise sap 15 SP7	0.9.13.1-150600.15.3.1 fixed
suse enterprise server 15 SP4	0.9.13.1-150200.4.24.1 fixed
suse enterprise server 15 SP5	0.9.13.1-150200.4.24.1 fixed
suse enterprise server 15 SP6	0.9.13.1-150600.13.3 fixed
suse enterprise server 15 SP7	0.9.13.1-150600.15.3.1 fixed

xrdp-devel

suse enterprise desktop 15 SP4	0.9.13.1-150200.4.24.1 fixed
suse enterprise desktop 15 SP5	0.9.13.1-150200.4.24.1 fixed
suse enterprise desktop 15 SP6	0.9.13.1-150600.13.3 fixed
suse enterprise desktop 15 SP7	0.9.13.1-150600.15.3.1 fixed
suse enterprise sap 15 SP4	0.9.13.1-150200.4.24.1 fixed
suse enterprise sap 15 SP5	0.9.13.1-150200.4.24.1 fixed
suse enterprise sap 15 SP6	0.9.13.1-150600.13.3 fixed
suse enterprise sap 15 SP7	0.9.13.1-150600.15.3.1 fixed
suse enterprise server 15 SP4	0.9.13.1-150200.4.24.1 fixed
suse enterprise server 15 SP5	0.9.13.1-150200.4.24.1 fixed
suse enterprise server 15 SP6	0.9.13.1-150600.13.3 fixed
suse enterprise server 15 SP7	0.9.13.1-150600.15.3.1 fixed

Common Weakness Enumeration

CWE-755 - Improper Handling of Exceptional Conditions
The software does not handle or incorrectly handles an exceptional condition.

References

https://github.com/neutrinolabs/xrdp/blame/9bbb2ec68f390504c32f2062847aa3d821a0089a/sesman/sesexec/session.c#L571C5-L571C19

https://github.com/neutrinolabs/xrdp/commit/a111a0fdfe2421ef600e40708b5f0168594cfb23

https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-f489-557v-47jq

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SOT237TIHTHPX5YNIWLVNINOEYC7WMG2/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5IXMQODV3OIJ7DRQBUQV7PUKNT7SH36/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/URO3FKTFBPNKFARAQBEJLI4MH6YS35P5/

https://github.com/neutrinolabs/xrdp/blame/9bbb2ec68f390504c32f2062847aa3d821a0089a/sesman/sesexec/session.c#L571C5-L571C19

https://github.com/neutrinolabs/xrdp/commit/a111a0fdfe2421ef600e40708b5f0168594cfb23

https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-f489-557v-47jq

https://lists.debian.org/debian-lts-announce/2025/05/msg00018.html

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SOT237TIHTHPX5YNIWLVNINOEYC7WMG2/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5IXMQODV3OIJ7DRQBUQV7PUKNT7SH36/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/URO3FKTFBPNKFARAQBEJLI4MH6YS35P5/