Bug 1214805 (CVE-2023-40184)

Summary: VUL-0: CVE-2023-40184: xrdp: restriction bypass via improper session handling
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/376777/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-40184:4.8:(AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2023-08-31 06:39:20 UTC 
CVE-2023-40184

xrdp is an open source remote desktop protocol (RDP) server. In versions prior
to 0.9.23 improper handling of session establishment errors allows bypassing
OS-level session restrictions. The `auth_start_session` function can return
non-zero (1) value on, e.g., PAM error which may result in in session
restrictions such as max concurrent sessions per user by PAM (ex
./etc/security/limits.conf) to be bypassed. Users (administrators) don't use
restrictions by PAM are not affected. This issue has been addressed in release
version 0.9.23. Users are advised to upgrade. There are no known workarounds for
this issue.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-40184
https://bugzilla.redhat.com/show_bug.cgi?id=2236306
https://www.cve.org/CVERecord?id=CVE-2023-40184
https://github.com/neutrinolabs/xrdp/blame/9bbb2ec68f390504c32f2062847aa3d821a0089a/sesman/sesexec/session.c#L571C5-L571C19
https://github.com/neutrinolabs/xrdp/commit/a111a0fdfe2421ef600e40708b5f0168594cfb23
https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-f489-557v-47jq
Comment 4 Maintenance Automation 2023-09-22 16:30:13 UTC 
SUSE-SU-2023:3735-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1214805
CVE References: CVE-2023-40184
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): xrdp-0.9.10-3.11.1
SUSE Linux Enterprise Server 12 SP5 (src): xrdp-0.9.10-3.11.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): xrdp-0.9.10-3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Maintenance Automation 2023-09-27 20:30:54 UTC 
SUSE-SU-2023:3830-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1214805
CVE References: CVE-2023-40184
Sources used:
openSUSE Leap 15.4 (src): xrdp-0.9.13.1-150200.4.24.1
openSUSE Leap 15.5 (src): xrdp-0.9.13.1-150200.4.24.1
Basesystem Module 15-SP4 (src): xrdp-0.9.13.1-150200.4.24.1
Basesystem Module 15-SP5 (src): xrdp-0.9.13.1-150200.4.24.1
SUSE Manager Proxy 4.2 (src): xrdp-0.9.13.1-150200.4.24.1
SUSE Manager Retail Branch Server 4.2 (src): xrdp-0.9.13.1-150200.4.24.1
SUSE Manager Server 4.2 (src): xrdp-0.9.13.1-150200.4.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Maintenance Automation 2023-12-14 20:30:17 UTC 
SUSE-SU-2023:4873-1: An update that solves two vulnerabilities and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1214805, 1215803, 1217759
CVE References: CVE-2023-40184, CVE-2023-42822
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): xrdp-0.9.10-3.16.1
SUSE Linux Enterprise Server 12 SP5 (src): xrdp-0.9.10-3.16.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): xrdp-0.9.10-3.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.