Summary
The MaxLoginRetry parameter in /etc/xrdp/sesman.ini
is effectively broken in xrdp. Attackers can make an infinite number of login attempts.
Details
xrdp versions prior to 0.10.0 have a vulnerability that allows attackers to make an infinite number of login attempts. The number of max login attempts is supposed to be limited by a configuration parameter MaxLoginRetry
in /etc/xrdp/sesman.ini
. However, this mechanism was not effectively working. As a result, xrdp allows an infinite number of login attempts.
The issue is fixed at xrdp 0.10.0 or later however xrdp 0.9.x is reaching EoL and no fixes are currently planned. Users are recommended to update xrdp to 0.10.0.
If you have difficulty updating to 0.10.0, restrict access to xrdp at the network layer using a firewall not expose xrdp to untrusted clients. Also, consider using other security measures such as pam_faillock(8).
References
Summary
The MaxLoginRetry parameter in
/etc/xrdp/sesman.ini
is effectively broken in xrdp. Attackers can make an infinite number of login attempts.Details
xrdp versions prior to 0.10.0 have a vulnerability that allows attackers to make an infinite number of login attempts. The number of max login attempts is supposed to be limited by a configuration parameter
MaxLoginRetry
in/etc/xrdp/sesman.ini
. However, this mechanism was not effectively working. As a result, xrdp allows an infinite number of login attempts.The issue is fixed at xrdp 0.10.0 or later however xrdp 0.9.x is reaching EoL and no fixes are currently planned. Users are recommended to update xrdp to 0.10.0.
If you have difficulty updating to 0.10.0, restrict access to xrdp at the network layer using a firewall not expose xrdp to untrusted clients. Also, consider using other security measures such as pam_faillock(8).
References