CVE-2020-4044
published 2020-06-30CVE-2020-4044: The xrdp-sesman service before version 0.9.13.1 can be crashed by connecting over port 3350 and supplying a malicious payload. Once the xrdp-sesman process is…
PriorityP345high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
2.40%
82.0th percentile
The xrdp-sesman service before version 0.9.13.1 can be crashed by connecting over port 3350 and supplying a malicious payload. Once the xrdp-sesman process is dead, an unprivileged attacker on the server could then proceed to start their own imposter sesman service listening on port 3350. This will allow them to capture any user credentials that are submitted to XRDP and approve or reject arbitrary login credentials. For xorgxrdp sessions in particular, this allows an unauthorized user to hijack an existing session. This is a buffer overflow attack, so there may be a risk of arbitrary code execution as well.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | xrdp | < xrdp 0.9.12-1.1 (bookworm) | xrdp 0.9.12-1.1 (bookworm) |
| neutrinolabs | xrdp | < 0.9.13.1 | 0.9.13.1 |
| neutrinolabs | xrdp | >= 0 < 0.9.12-1.1 | 0.9.12-1.1 |
| neutrinolabs | xrdp | >= 0 < 0.9.12-1.1 | 0.9.12-1.1 |
| neutrinolabs | xrdp | >= 0 < 0.9.12-1.1 | 0.9.12-1.1 |
| neutrinolabs | xrdp | >= 0 < 0.9.12-1.1 | 0.9.12-1.1 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
osv7.8HIGH
vendor_redhat9.6CRITICAL
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2024-0008 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2024-09-04·CVSS 6.0
CVE-2022-22965 [MEDIUM] PAN-SA-2024-0008 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0008 Informational Bulletin: Impact of OSS CVEs in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2010-1622, CVE-2015-7552, CVE-2018-16840, CVE-2019-7639, CVE-2020-17049, CVE-2020-7774, CVE-2021-0131, CVE-2021-0132, CVE-2021-0133, CVE-2021-0134, CVE-2021-4044, CVE-2021-4160, CVE-2021-41773, CVE-2022-1343, CVE-2022-21449, CVE-2022-2274, CVE-2022-22963, CVE-2022-22965, CVE-2022-24697, CVE-2022-32207, CVE-2022-3358, CVE-2022-3996, CVE-2022-40664, CVE-2022-44792, CVE-2022-44793, CVE-2023-1255, CVE-2023-22809, CVE-2023-23919, CVE-2023-3341, CVE-2023-4236, CVE-2023-4863, CVE-2023-51767
Affected products: PAN-OS
Ubuntu
xrdp vulnerability
vendor_ubuntu·2023-11-02
CVE-2020-4044 xrdp vulnerability
Title: xrdp vulnerability
Summary: xrdp could be made to crash or run programs if it received
specially crafted network traffic.
Ashley Newson discovered that xrdp incorrectly handled memory when
processing certain incoming connections. An attacker could possibly use
this issue to cause a denial of service or arbitrary code execution.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
chromium-browser: Type Confusion in Blink
vendor_redhat·2020-05-05·CVSS 8.8
CVE-2020-6464 [HIGH] CWE-843 chromium-browser: Type Confusion in Blink
chromium-browser: Type Confusion in Blink
Type confusion in Blink in Google Chrome prior to 81.0.4044.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
A type confusion flaw was reported in the Blink component of the Chromium browser.
Red Hat
chromium-browser: Use after free in task scheduling
vendor_redhat·2020-04-27·CVSS 9.6
CVE-2020-6462 [CRITICAL] CWE-416 chromium-browser: Use after free in task scheduling
chromium-browser: Use after free in task scheduling
Use after free in task scheduling in Google Chrome prior to 81.0.4044.129 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
A flaw was found in the Chromium browser. The task scheduling component was found to have a use-after-free memory flaw. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Red Hat
chromium-browser: Use after free in storage
vendor_redhat·2020-04-27·CVSS 9.6
CVE-2020-6461 [CRITICAL] CWE-416 chromium-browser: Use after free in storage
chromium-browser: Use after free in storage
Use after free in storage in Google Chrome prior to 81.0.4044.129 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
Red Hat
chromium-browser: Use after free in payments
vendor_redhat·2020-04-21·CVSS 8.8
CVE-2020-6459 [HIGH] chromium-browser: Use after free in payments
chromium-browser: Use after free in payments
Use after free in payments in Google Chrome prior to 81.0.4044.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Red Hat
chromium-browser: Insufficient data validation in URL formatting
vendor_redhat·2020-04-21·CVSS 6.5
CVE-2020-6460 [MEDIUM] chromium-browser: Insufficient data validation in URL formatting
chromium-browser: Insufficient data validation in URL formatting
Insufficient data validation in URL formatting in Google Chrome prior to 81.0.4044.122 allowed a remote attacker to perform domain spoofing via a crafted domain name.
Red Hat
chromium-browser: Use after free in ANGLE
vendor_redhat·2020-04-21·CVSS 8.8
CVE-2020-6463 [HIGH] CWE-416 chromium-browser: Use after free in ANGLE
chromium-browser: Use after free in ANGLE
Use after free in ANGLE in Google Chrome prior to 81.0.4044.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Package: firefox (Red Hat Enterprise Linux 5) - Out of support scope
Package: thunderbird (Red Hat Enterprise Linux 5) - Out of support scope
Red Hat
chromium-browser: Out of bounds read and write in PDFium
vendor_redhat·2020-04-21·CVSS 8.8
CVE-2020-6458 [HIGH] chromium-browser: Out of bounds read and write in PDFium
chromium-browser: Out of bounds read and write in PDFium
Out of bounds read and write in PDFium in Google Chrome prior to 81.0.4044.122 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.
Red Hat
chromium-browser: Use after free in speech recognizer
vendor_redhat·2020-04-15·CVSS 9.6
CVE-2020-6457 [CRITICAL] chromium-browser: Use after free in speech recognizer
chromium-browser: Use after free in speech recognizer
Use after free in speech recognizer in Google Chrome prior to 81.0.4044.113 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.
Red Hat
chromium-browser: Use after free in devtools
vendor_redhat·2020-04-07·CVSS 8.8
CVE-2020-6434 [HIGH] chromium-browser: Use after free in devtools
chromium-browser: Use after free in devtools
Use after free in devtools in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Red Hat
chromium-browser: Insufficient validation of untrusted input in clipboard
vendor_redhat·2020-04-07·CVSS 6.5
CVE-2020-6456 [MEDIUM] chromium-browser: Insufficient validation of untrusted input in clipboard
chromium-browser: Insufficient validation of untrusted input in clipboard
Insufficient validation of untrusted input in clipboard in Google Chrome prior to 81.0.4044.92 allowed a local attacker to bypass site isolation via crafted clipboard contents.
Red Hat
chromium-browser: Insufficient policy enforcement in extensions
vendor_redhat·2020-04-07·CVSS 4.3
CVE-2020-6435 [MEDIUM] chromium-browser: Insufficient policy enforcement in extensions
chromium-browser: Insufficient policy enforcement in extensions
Insufficient policy enforcement in extensions in Google Chrome prior to 81.0.4044.92 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page.
Red Hat
chromium-browser: Out of bounds read in WebSQL
vendor_redhat·2020-04-07·CVSS 8.8
CVE-2020-6455 [HIGH] chromium-browser: Out of bounds read in WebSQL
chromium-browser: Out of bounds read in WebSQL
Out of bounds read in WebSQL in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Red Hat
chromium-browser: Insufficient policy enforcement in navigations
vendor_redhat·2020-04-07·CVSS 8.8
CVE-2020-6439 [HIGH] chromium-browser: Insufficient policy enforcement in navigations
chromium-browser: Insufficient policy enforcement in navigations
Insufficient policy enforcement in navigations in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass security UI via a crafted HTML page.
Red Hat
chromium-browser: Use after free in audio
vendor_redhat·2020-04-07·CVSS 8.8
CVE-2020-6423 [HIGH] chromium-browser: Use after free in audio
chromium-browser: Use after free in audio
Use after free in audio in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Red Hat
chromium-browser: Use after free in V8
vendor_redhat·2020-04-07·CVSS 8.8
CVE-2020-6448 [HIGH] chromium-browser: Use after free in V8
chromium-browser: Use after free in V8
Use after free in V8 in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Red Hat
chromium-browser: Inappropriate implementation in WebView
vendor_redhat·2020-04-07·CVSS 4.3
CVE-2020-6437 [MEDIUM] chromium-browser: Inappropriate implementation in WebView
chromium-browser: Inappropriate implementation in WebView
Inappropriate implementation in WebView in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to spoof security UI via a crafted application.
Red Hat
chromium-browser: Insufficient data validation in developer tools
vendor_redhat·2020-04-07·CVSS 8.8
CVE-2020-6443 [HIGH] chromium-browser: Insufficient data validation in developer tools
chromium-browser: Insufficient data validation in developer tools
Insufficient data validation in developer tools in Google Chrome prior to 81.0.4044.92 allowed a remote attacker who had convinced the user to use devtools to execute arbitrary code via a crafted HTML page.
Red Hat
chromium-browser: Use after free in extensions
vendor_redhat·2020-04-07·CVSS 8.8
CVE-2020-6454 [HIGH] chromium-browser: Use after free in extensions
chromium-browser: Use after free in extensions
Use after free in extensions in Google Chrome prior to 81.0.4044.92 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.
Red Hat
chromium-browser: Type Confusion in V8
vendor_redhat·2020-04-07·CVSS 8.8
CVE-2020-6430 [HIGH] chromium-browser: Type Confusion in V8
chromium-browser: Type Confusion in V8
Type Confusion in V8 in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Red Hat
chromium-browser: Use after free in window management
vendor_redhat·2020-04-07·CVSS 8.8
CVE-2020-6436 [HIGH] chromium-browser: Use after free in window management
chromium-browser: Use after free in window management
Use after free in window management in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Red Hat
chromium-browser: Inappropriate implementation in extensions
vendor_redhat·2020-04-07·CVSS 4.3
CVE-2020-6440 [MEDIUM] chromium-browser: Inappropriate implementation in extensions
chromium-browser: Inappropriate implementation in extensions
Inappropriate implementation in extensions in Google Chrome prior to 81.0.4044.92 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information via a crafted Chrome Extension.
Red Hat
chromium-browser: Insufficient policy enforcement in full screen
vendor_redhat·2020-04-07·CVSS 4.3
CVE-2020-6431 [MEDIUM] chromium-browser: Insufficient policy enforcement in full screen
chromium-browser: Insufficient policy enforcement in full screen
Insufficient policy enforcement in full screen in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to spoof security UI via a crafted HTML page.
Red Hat
chromium-browser: Insufficient policy enforcement in trusted types
vendor_redhat·2020-04-07·CVSS 6.5
CVE-2020-6446 [MEDIUM] chromium-browser: Insufficient policy enforcement in trusted types
chromium-browser: Insufficient policy enforcement in trusted types
Insufficient policy enforcement in trusted types in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass content security policy via a crafted HTML page.
Red Hat
chromium-browser: Uninitialized use in WebRTC
vendor_redhat·2020-04-07·CVSS 6.3
CVE-2020-6444 [MEDIUM] chromium-browser: Uninitialized use in WebRTC
chromium-browser: Uninitialized use in WebRTC
Uninitialized use in WebRTC in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Red Hat
chromium-browser: Insufficient policy enforcement in extensions
vendor_redhat·2020-04-07·CVSS 4.3
CVE-2020-6438 [MEDIUM] chromium-browser: Insufficient policy enforcement in extensions
chromium-browser: Insufficient policy enforcement in extensions
Insufficient policy enforcement in extensions in Google Chrome prior to 81.0.4044.92 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension.
Red Hat
chromium-browser: Insufficient policy enforcement in trusted types
vendor_redhat·2020-04-07·CVSS 6.5
CVE-2020-6445 [MEDIUM] chromium-browser: Insufficient policy enforcement in trusted types
chromium-browser: Insufficient policy enforcement in trusted types
Insufficient policy enforcement in trusted types in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass content security policy via a crafted HTML page.
Red Hat
chromium-browser: Insufficient policy enforcement in navigations
vendor_redhat·2020-04-07·CVSS 4.3
CVE-2020-6432 [MEDIUM] chromium-browser: Insufficient policy enforcement in navigations
chromium-browser: Insufficient policy enforcement in navigations
Insufficient policy enforcement in navigations in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
Red Hat
chromium-browser: Inappropriate implementation in cache
vendor_redhat·2020-04-07·CVSS 4.3
CVE-2020-6442 [MEDIUM] chromium-browser: Inappropriate implementation in cache
chromium-browser: Inappropriate implementation in cache
Inappropriate implementation in cache in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
Red Hat
chromium-browser: Inappropriate implementation in developer tools
vendor_redhat·2020-04-07·CVSS 8.8
CVE-2020-6447 [HIGH] chromium-browser: Inappropriate implementation in developer tools
chromium-browser: Inappropriate implementation in developer tools
Inappropriate implementation in developer tools in Google Chrome prior to 81.0.4044.92 allowed a remote attacker who had convinced the user to use devtools to potentially exploit heap corruption via a crafted HTML page.
Red Hat
chromium-browser: Insufficient policy enforcement in extensions
vendor_redhat·2020-04-07·CVSS 4.3
CVE-2020-6433 [MEDIUM] chromium-browser: Insufficient policy enforcement in extensions
chromium-browser: Insufficient policy enforcement in extensions
Insufficient policy enforcement in extensions in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
Red Hat
chromium-browser: Insufficient policy enforcement in omnibox
vendor_redhat·2020-04-07·CVSS 4.3
CVE-2020-6441 [MEDIUM] chromium-browser: Insufficient policy enforcement in omnibox
chromium-browser: Insufficient policy enforcement in omnibox
Insufficient policy enforcement in omnibox in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass security UI via a crafted HTML page.
Red Hat
chromium-browser: Out of bounds read and write in V8
vendor_redhat·2020-04-07·CVSS 8.8
CVE-2020-6419 [HIGH] CWE-125 chromium-browser: Out of bounds read and write in V8
chromium-browser: Out of bounds read and write in V8
Out of bounds write in V8 in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Debian
CVE-2020-4044: xrdp - The xrdp-sesman service before version 0.9.13.1 can be crashed by connecting ove...
vendor_debian·2020·CVSS 7.5
CVE-2020-4044 [HIGH] CVE-2020-4044: xrdp - The xrdp-sesman service before version 0.9.13.1 can be crashed by connecting ove...
The xrdp-sesman service before version 0.9.13.1 can be crashed by connecting over port 3350 and supplying a malicious payload. Once the xrdp-sesman process is dead, an unprivileged attacker on the server could then proceed to start their own imposter sesman service listening on port 3350. This will allow them to capture any user credentials that are submitted to XRDP and approve or reject arbitrary login credentials. For xorgxrdp sessions in particular, this allows an unauthorized user to hijack an existing session. This is a buffer overflow attack, so there may be a risk of arbitrary code execution as well.
Scope: local
bookworm: resolved (fixed in 0.9.12-1.1)
bullseye: resolved (fixed in 0.9.12-1.1)
forky: resolved (fixed in 0.9.12-1.1)
sid: resolved (fixed in 0.9.12-1.1)
trixie: resolve
OSV
CVE-2020-4044: The xrdp-sesman service before version 0
osv·2020-06-30·CVSS 7.8
CVE-2020-4044 [HIGH] CVE-2020-4044: The xrdp-sesman service before version 0
The xrdp-sesman service before version 0.9.13.1 can be crashed by connecting over port 3350 and supplying a malicious payload. Once the xrdp-sesman process is dead, an unprivileged attacker on the server could then proceed to start their own imposter sesman service listening on port 3350. This will allow them to capture any user credentials that are submitted to XRDP and approve or reject arbitrary login credentials. For xorgxrdp sessions in particular, this allows an unauthorized user to hijack an existing session. This is a buffer overflow attack, so there may be a risk of arbitrary code execution as well.
No detection rules found.
Bugzilla
CVE-2020-4044 xrdp: buffer overflow via malicious payloads [epel-6]
bugzilla·2020-07-09·CVSS 7.5
CVE-2020-4044 [HIGH] CVE-2020-4044 xrdp: buffer overflow via malicious payloads [epel-6]
CVE-2020-4044 xrdp: buffer overflow via malicious payloads [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for the 'fedpkg update'
Bugzilla
CVE-2020-4044 xrdp: buffer overflow via malicious payloads
bugzilla·2020-07-09·CVSS 7.5
CVE-2020-4044 [HIGH] CVE-2020-4044 xrdp: buffer overflow via malicious payloads
CVE-2020-4044 xrdp: buffer overflow via malicious payloads
The xrdp-sesman service before version 0.9.13.1 can be crashed by connecting over port 3350 and supplying a malicious payload. Once the xrdp-sesman process is dead, an unprivileged attacker on the server could then proceed to start their own imposter sesman service listening on port 3350. This will allow them to capture any user credentials that are submitted to XRDP and approve or reject arbitrary login credentials. For xorgxrdp sessions in particular, this allows an unauthorized user to hijack an existing session. This is a buffer overflow attack, so there may be a risk of arbitrary code execution as well.
References:
https://github.com/neutrinolabs/xrdp/commit/0c791d073d0eb344ee7aaafd221513dc9226762c
https://github.com/neutrin
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00036.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-08/msg00037.htmlhttps://github.com/neutrinolabs/xrdp/commit/0c791d073d0eb344ee7aaafd221513dc9226762chttps://github.com/neutrinolabs/xrdp/releases/tag/v0.9.13.1https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-j9fv-6fwf-p3g4https://lists.debian.org/debian-lts-announce/2020/08/msg00015.htmlhttps://www.debian.org/security/2020/dsa-4737http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00036.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-08/msg00037.htmlhttps://github.com/neutrinolabs/xrdp/commit/0c791d073d0eb344ee7aaafd221513dc9226762chttps://github.com/neutrinolabs/xrdp/releases/tag/v0.9.13.1https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-j9fv-6fwf-p3g4https://lists.debian.org/debian-lts-announce/2020/08/msg00015.htmlhttps://www.debian.org/security/2020/dsa-4737
2020-06-30
Published