We have discovered recently that a new version of xRDP software has been released on August 31, 2023. The new xrdp package version is set to 0.9.23. This release is mainly to fix a discovered vulnerability. It’s recommended that all users upgrade to this latest version.
Let’s quickly check about this new release…..
xRDP is a software package that provide remote desktop capabilities against a Linux machine and mimics the Remote Desktop capabilities that can be found in Windows Operating system. Using xRDP, you can basically use your standard remote desktop client on Windows or Linux and you can remotely access your Linux Desktop interface. The team behind the software is releasing on regular basis updates. These updates can introduces new features and/or can address security issues.
The bleeding edge version of xRDP packages are as of today the following
- xrdp version 0.9.23 has been released in August 31, 2023
- xorgxrdp version 0.9.19 has been released in September 9, 2022 which is the latest version of the software
xRDP 0.9.23 Release
You can find the release notes for the xrdp package by visiting this page
This release (0.9.23) is mainly to fix a vulnerability that has been discovered and can be summarized as follow
In versions prior to 0.9.23 improper handling of session establishment errors allows bypassing OS-level session restrictions. The `auth_start_session` function can return non-zero (1) value on, e.g., PAM error which may result in in session restrictions such as max concurrent sessions per user by PAM (ex ./etc/security/limits.conf) to be bypassed. Users (administrators) don’t use restrictions by PAM are not affected. This issue has been addressed in release version 0.9.23. Users are advised to upgrade. There are no known workarounds for this issue.
Version 0.9.23 is really addressing this issue and no new features has been introduced.
What’s the impact for me ?
Good Question. So, if you are using a well established distribution like Ubuntu or Debian, and if you have performed the installation from the distribution repository, you might not be running the latest version of the xRDP package. Since this security issue affect all versions prior 0.9.23, we would expect that the maintainer of your distribution will update either their package and package version or update the latest package version provided by the xRDP Team.
However, this is not automatic. For example, Ubuntu CVE database already list this vulnerability (see https://ubuntu.com/security/CVE-2023-40184) . But, you can also see that there is not yet a fix and at this stage, the status is set to triage. So, you will need to rely on the distribution maintainer that will decide to update or not the package.
If you have performed the installation from sources, you will have to update yourself the package. You should remove the version installed on your system and recompile from source. So, if you want to use the latest version of xRDP, you will need to compile the software from sources. You can also use our famous xrdp-installer script that simplifies and automate the installation (on Debian based systems). (see https://www.c-nergy.be/products.html). Please note that the latest version of the script has not been tested against xrdp pacakge 0.9.23 yet. So, use the script in a test environment first and validate your xrdp installation.
This is it for this post !
As promised, this is really a short post but rather important. Indeed, the xrdp team has made this latest xrdp release available (0.9.23) in order to fix some security issues that you should be aware of. If you are running a previous version of the package, it would be wise and recommended to install the latest version of the package.
Please note that the xRDP package shipping with your Ubuntu Operating system might not be the latest release version. You will need to check if some updates would be made available by the OS provider. If no updates are provided, you might want to build from sources and deploy the latest version of the xRDP Package… At time of writing, Ubuntu is not providing any updates of the xrdp package as shown in their cve web page (see : https://ubuntu.com/security/CVE-2023-40184).
The xrdp-installer script version 1.4.7 could be used to remove and install the latest version of xrdp package. The script 1.4.7 has not been tested yet against xrdp 0.9.23 package but it should be working as expected. A new version of the script is being prepared which will tackle this issue and others…
Till Next time