CVE-2024-39917

2024-07-1216:15:04

Debian Security Bug Tracker

security-tracker.debian.org

xrdp

open source

rdp server

vulnerability

configuration parameter

maxloginretry

sesman.ini

unix

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.8

Confidence

Low

EPSS

0.001

Percentile

39.7%

JSON

xrdp is an open source RDP server. xrdp versions prior to 0.10.0 have a vulnerability that allows attackers to make an infinite number of login attempts. The number of max login attempts is supposed to be limited by a configuration parameter MaxLoginRetry in /etc/xrdp/sesman.ini. However, this mechanism was not effectively working. As a result, xrdp allows an infinite number of login attempts.

OSVersionArchitecturePackageVersionFilename
Debian12allxrdp<= 0.9.21.1-1xrdp_0.9.21.1-1_all.deb
Debian11allxrdp<= 0.9.21.1-1~deb11u1xrdp_0.9.21.1-1~deb11u1_all.deb
Debian999allxrdp< 0.10.1-1xrdp_0.10.1-1_all.deb
Debian13allxrdp<= 0.9.24-5xrdp_0.9.24-5_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	xrdp	<= 0.9.21.1-1	xrdp_0.9.21.1-1_all.deb
Debian	11	all	xrdp	<= 0.9.21.1-1~deb11u1	xrdp_0.9.21.1-1~deb11u1_all.deb
Debian	999	all	xrdp	< 0.10.1-1	xrdp_0.10.1-1_all.deb
Debian	13	all	xrdp	<= 0.9.24-5	xrdp_0.9.24-5_all.deb