CVE-2023-40184: 
xrdp vulnerability analysis and mitigation

xrdp is an open source remote desktop protocol (RDP) server. In versions prior to 0.9.23, improper handling of session establishment errors allows bypassing OS-level session restrictions. The vulnerability was discovered and reported by @gafusss and was assigned CVE-2023-40184. The issue was fixed with the release of version 0.9.23 on August 31, 2023 (GitHub Advisory).

The vulnerability stems from the auth_start_session function returning a non-zero (1) value on PAM errors, which could result in session restrictions such as maximum concurrent sessions per user enforced by PAM (e.g., through /etc/security/limits.conf) being bypassed. The issue has been assigned a CVSS v3.1 base score of 2.6 (LOW) with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L (GitHub Advisory).

The vulnerability allows attackers to bypass operating system-level session restrictions that are enforced through PAM. This specifically affects restrictions like maximum concurrent sessions per user that are configured through PAM modules (e.g., in /etc/security/limits.conf). Users or administrators who don't use PAM restrictions are not affected by this vulnerability (GitHub Advisory).

The vulnerability has been fixed in xrdp version 0.9.23. Users are advised to upgrade to this version or later. There are no known workarounds for this issue. The fix involves properly handling the return value from the auth_start_session function (GitHub Advisory, Fedora Update).