CVE-2024-39917 in xrdp
Summary
by MITRE • 07/12/2024
xrdp is an open source RDP server. xrdp versions prior to 0.10.0 have a vulnerability that allows attackers to make an infinite number of login attempts. The number of max login attempts is supposed to be limited by a configuration parameter `MaxLoginRetry` in `/etc/xrdp/sesman.ini`. However, this mechanism was not effectively working. As a result, xrdp allows an infinite number of login attempts.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/10/2025
The vulnerability identified as CVE-2024-39917 affects xrdp, an open source Remote Desktop Protocol server widely used for remote desktop access in enterprise environments. This issue represents a critical authentication flaw that undermines the security controls designed to prevent brute force attacks against remote desktop services. The vulnerability specifically impacts xrdp versions prior to 0.10.0, where the intended security mechanism for limiting login attempts has been rendered ineffective, creating a significant risk for systems relying on this service for remote access.
The technical flaw resides in the implementation of the MaxLoginRetry configuration parameter within the sesman.ini configuration file located at /etc/xrdp/sesman.ini. This parameter was designed to enforce a limit on the number of failed authentication attempts before terminating the connection attempt, serving as a fundamental defense against automated brute force attacks. However, the vulnerability demonstrates that this mechanism fails to properly enforce the configured limits, allowing attackers to attempt unlimited login combinations without triggering the intended rate limiting controls. The flaw essentially bypasses the authentication throttling mechanism that should protect against credential stuffing and dictionary attack scenarios.
The operational impact of this vulnerability is substantial as it provides attackers with unlimited opportunities to guess valid credentials through automated means. This creates a high probability of successful unauthorized access to systems running vulnerable versions of xrdp, particularly when weak passwords or default credentials are in use. The vulnerability exposes organizations to various attack vectors including credential brute forcing, password spraying attacks, and automated exploitation attempts that could lead to complete system compromise. Organizations with exposed xrdp services face heightened risk of unauthorized access, data breaches, and potential lateral movement within their networks, especially when xrdp is deployed without additional network segmentation or access controls.
The vulnerability aligns with CWE-307, which addresses improper restriction of repeated activities, and represents a failure in implementing proper account lockout or rate limiting mechanisms. From an ATT&CK perspective, this weakness maps to T1110.003 - Brute Force: Password Guessing, as it removes the primary technical barrier that would normally prevent automated credential guessing attempts. Organizations should immediately upgrade to xrdp version 0.10.0 or later where the MaxLoginRetry parameter functions correctly, while also implementing additional security controls such as network-level access restrictions, firewall rules limiting access to xrdp ports, and monitoring for unusual login patterns. The configuration parameter should be properly set with reasonable limits, typically between 3-5 attempts, and administrators should consider implementing additional authentication layers such as multi-factor authentication to further mitigate the risk of unauthorized access through credential guessing attacks.