CVE-2023-42822

Unchecked access to font glyph info in xrdp

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

xrdp is an open source remote desktop protocol server. Access to the font glyphs in xrdp_painter.c is not bounds-checked . Since some of this data is controllable by the user, this can result in an out-of-bounds read within the xrdp executable. The vulnerability allows an out-of-bounds read within a potentially privileged process. On non-Debian platforms, xrdp tends to run as root. Potentially an out-of-bounds write can follow the out-of-bounds read. There is no denial-of-service impact, providing xrdp is running in forking mode. This issue has been addressed in release 0.9.23.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

xrdp es un servidor de protocolo de escritorio remoto de código abierto. El acceso a los font glyphs en xrdp_painter.c no está controlado por los límites. Dado que algunos de estos datos son controlables por el usuario, esto puede resultar en una lectura fuera de los límites dentro del ejecutable xrdp. La vulnerabilidad permite una lectura fuera de los límites dentro de un proceso potencialmente privilegiado. En plataformas que no son Debian, xrdp tiende a ejecutarse como root. Potencialmente, una escritura fuera de los límites puede seguir a la lectura fuera de los límites. No hay ningún impacto de denegación de servicio, siempre que xrdp se ejecute en modo fork. Este problema se solucionó en la versión 0.9.23.1. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-09-14 CVE Reserved
2023-09-27 CVE Published
2024-09-23 CVE Updated
2024-10-03 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-125: Out-of-bounds Read

CAPEC

References (5)

URL	Tag	Source
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5FPGA4M7IYCP7OILDF2ZJEVSXUOFEFQ6
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PFGL22QQF65OIZRMCKUZCVJQCKGUBRYE	Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RTXODUR4ILM7ZPA6ZGY6VSK4BBSBMKGY	Mailing List

URL	Date	SRC

URL	Date	SRC
https://github.com/neutrinolabs/xrdp/commit/73acbe1f7957c65122b00de4d6f57a8d0d257c40	2023-11-03

URL	Date	SRC
https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-2hjx-rm4f-r9hw	2023-11-03

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Neutrinolabs Search vendor "Neutrinolabs"		Xrdp Search vendor "Neutrinolabs" for product "Xrdp"				< 0.9.23.1 Search vendor "Neutrinolabs" for product "Xrdp" and version " < 0.9.23.1"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				37 Search vendor "Fedoraproject" for product "Fedora" and version "37"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				38 Search vendor "Fedoraproject" for product "Fedora" and version "38"		-		Affected