FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

xrdp -- Improper handling of session establishment errors allows bypassing OS-level session restrictions

Affected packages
xrdp < 0.9.23

Details

VuXML ID c9ff1150-5d63-11ee-bbae-1c61b4739ac9
Discovery 2023-08-30
Entry 2023-09-27

xrdp team reports:

In versions prior to 0.9.23 improper handling of session establishment errors allows bypassing OS-level session restrictions. The `auth_start_session` function can return non-zero (1) value on, e.g., PAM error which may result in session restrictions such as max concurrent sessions per user by PAM (ex ./etc/security/limits.conf) to be bypassed. Users (administrators) don't use restrictions by PAM are not affected. This issue has been addressed in release version 0.9.23. Users are advised to upgrade. There are no known workarounds for this issue.

References

CVE Name CVE-2023-40184
URL https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-f489-557v-47jq
URL https://www.cve.org/CVERecord?id=CVE-2023-40184