CVE-2018-20179
📋 TL;DR
CVE-2018-20179 is a critical integer underflow vulnerability in rdesktop RDP client that leads to heap-based buffer overflow and remote code execution. Attackers can exploit this by sending malicious RDP responses to compromise client systems. All users running vulnerable rdesktop versions are affected.
💻 Affected Systems
- rdesktop
📦 What is this software?
Rdesktop by Rdesktop
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with full system compromise, allowing attackers to install malware, steal credentials, and pivot to other systems.
Likely Case
Remote code execution leading to complete client system compromise when connecting to malicious RDP servers.
If Mitigated
Limited impact if systems are patched, network segmentation prevents RDP connections to untrusted hosts, and proper endpoint protection is in place.
🎯 Exploit Status
Check Point Research published detailed exploitation techniques. The vulnerability requires client to connect to malicious server, not server to be compromised.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.8.4 and later
Vendor Advisory: https://github.com/rdesktop/rdesktop/commit/4dca546d04321a610c1835010b5dad85163b65e1
Restart Required: Yes
Instructions:
1. Update rdesktop to version 1.8.4 or later using your package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt upgrade rdesktop. 3. For source installation: download latest from GitHub, compile and install. 4. Restart any active rdesktop sessions.
🔧 Temporary Workarounds
Network Restriction
linuxRestrict rdesktop connections to trusted RDP servers only using firewall rules.
iptables -A OUTPUT -p tcp --dport 3389 -d trusted_server_ip -j ACCEPT
iptables -A OUTPUT -p tcp --dport 3389 -j DROP
Alternative Client
linuxUse alternative RDP clients like FreeRDP or Remmina until patching is possible.
sudo apt install freerdp2-x11
sudo apt install remmina
🧯 If You Can't Patch
- Disable rdesktop usage entirely and use alternative RDP clients.
- Implement strict network controls to only allow RDP connections to verified internal servers.
🔍 How to Verify
Check if Vulnerable:
Check rdesktop version: rdesktop --version | grep -E '1\.8\.[0-3]'Check Version:
rdesktop --versionVerify Fix Applied:
Verify version is 1.8.4 or higher: rdesktop --version | grep -E '1\.8\.[4-9]|1\.9|2\.'📡 Detection & Monitoring
Log Indicators:
- Abnormal rdesktop crashes or termination
- Unexpected memory access errors in system logs
- Connections to unknown RDP servers
Network Indicators:
- RDP connections to suspicious or unknown IP addresses
- Abnormal RDP traffic patterns
SIEM Query:
process:rdesktop AND (event_id:1000 OR event_id:1001) OR destination_port:3389 AND NOT destination_ip:(trusted_ip_list)🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00040.html
- http://www.securityfocus.com/bid/106938
- https://github.com/rdesktop/rdesktop/commit/4dca546d04321a610c1835010b5dad85163b65e1
- https://lists.debian.org/debian-lts-announce/2019/02/msg00030.html
- https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients/
- https://security.gentoo.org/glsa/201903-06
- https://www.debian.org/security/2019/dsa-4394
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00040.html
- http://www.securityfocus.com/bid/106938
- https://github.com/rdesktop/rdesktop/commit/4dca546d04321a610c1835010b5dad85163b65e1
- https://lists.debian.org/debian-lts-announce/2019/02/msg00030.html
- https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients/
- https://security.gentoo.org/glsa/201903-06
- https://www.debian.org/security/2019/dsa-4394
