vulnerability
FreeBSD: VID-c9ff1150-5d63-11ee-bbae-1c61b4739ac9 (CVE-2023-40184): xrdp -- Improper handling of session establishment errors allows bypassing OS-level session restrictions
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 2 | (AV:N/AC:H/Au:S/C:N/I:N/A:P) | Sep 27, 2023 | Sep 28, 2023 | Dec 10, 2025 |
Severity
2
CVSS
(AV:N/AC:H/Au:S/C:N/I:N/A:P)
Published
Sep 27, 2023
Added
Sep 28, 2023
Modified
Dec 10, 2025
Description
xrdp team reports: In versions prior to 0.9.23 improper handling of session establishment errors allows bypassing OS-level session restrictions. The `auth_start_session` function can return non-zero (1) value on, e.g., PAM error which may result in session restrictions such as max concurrent sessions per user by PAM (ex ./etc/security/limits.conf) to be bypassed. Users (administrators) don't use restrictions by PAM are not affected. This issue has been addressed in release version 0.9.23. Users are advised to upgrade. There are no known workarounds for this issue.
Solution
freebsd-upgrade-package-xrdp
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.