CVE-2024-39917: 
xrdp vulnerability analysis and mitigation

CVE-2024-39917 affects xrdp, an open source RDP server, in versions prior to 0.10.0. The vulnerability was discovered and disclosed on July 12, 2024, impacting the login attempt limitation functionality. The vulnerability affects all xrdp installations using versions 0.9.26 and earlier (NVD, GitHub Advisory).

The vulnerability stems from an ineffective implementation of the MaxLoginRetry parameter in /etc/xrdp/sesman.ini. This configuration parameter is designed to limit the number of login attempts but fails to function as intended. The issue has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) by NIST and 7.2 (HIGH) by GitHub, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L. The vulnerability is classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts) (NVD).

The vulnerability allows attackers to make an infinite number of login attempts against the xrdp server, effectively bypassing the intended authentication rate limiting. This could potentially lead to successful brute force attacks against user credentials (GitHub Advisory).

The vulnerability has been fixed in xrdp version 0.10.0. For users unable to upgrade to version 0.10.0, recommended workarounds include restricting access to xrdp at the network layer using a firewall and not exposing xrdp to untrusted clients. Additionally, implementing other security measures such as pam_faillock(8) is advised. Note that xrdp 0.9.x is reaching End of Life (EoL) and no fixes are currently planned for that branch (GitHub Advisory).