xrdp is an open source RDP server. xrdp versions prior to 0.10.0 have a vulnerability that allows attackers to make an infinite number of login attempts. The number of max login attempts is supposed to be limited by a configuration parameter MaxLoginRetry in /etc/xrdp/sesman.ini. However, this mechanism was not effectively working. As a result, xrdp allows an infinite number of login attempts.
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Xrdp | Neutrinolabs | * | 0.10.0 (excluding) |
| Xrdp | Ubuntu | focal | * |
| Xrdp | Ubuntu | oracular | * |
| Xrdp | Ubuntu | trusty/esm | * |
Common protection mechanisms include:
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]