CVE-2018-8795 – CVE-2018-8795 is a critical integer overflow vu... (How to Fix)

Q: What is the severity of CVE-2018-8795?

CVE-2018-8795 has a CVSS score of 9.8 (CRITICAL). CVE-2018-8795 is a critical integer overflow vulnerability in rdesktop RDP client that leads to heap-based buffer overflow and remote code execution. Attackers can exploit this by sending specially crafted RDP packets to compromise vulnerable clients. All systems running rdesktop versions up to v1.8.3 are affected.

📋 TL;DR

CVE-2018-8795 is a critical integer overflow vulnerability in rdesktop RDP client that leads to heap-based buffer overflow and remote code execution. Attackers can exploit this by sending specially crafted RDP packets to compromise vulnerable clients. All systems running rdesktop versions up to v1.8.3 are affected.

💻 Affected Systems

Products:

rdesktop

Versions: All versions up to and including v1.8.3

Operating Systems: Linux, Unix-like systems, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Any system using rdesktop to connect to RDP servers is vulnerable regardless of configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution, allowing attacker to execute arbitrary code with user privileges, install malware, or pivot to other systems.

🟠

Likely Case

Remote code execution leading to credential theft, lateral movement, or ransomware deployment on affected systems.

🟢

If Mitigated

Limited impact if network segmentation prevents RDP traffic from untrusted sources and systems are patched.

🌐 Internet-Facing: HIGH - RDP clients connecting to internet-facing servers are directly exposed to exploitation attempts.

🏢 Internal Only: MEDIUM - Internal RDP connections could be exploited by compromised internal systems or malicious insiders.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Check Point Research published detailed exploitation techniques and proof-of-concept. Exploitation requires client to connect to malicious RDP server.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: rdesktop v1.8.4 and later

Vendor Advisory: https://github.com/rdesktop/rdesktop/commit/4dca546d04321a610c1835010b5dad85163b65e1

Restart Required: No

Instructions:

1. Update rdesktop to version 1.8.4 or later using your package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt upgrade rdesktop. 3. For source installation: download latest release from GitHub and compile.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict RDP connections to trusted networks only

Use Alternative RDP Client

linux

Replace rdesktop with FreeRDP or other patched RDP clients

sudo apt install freerdp2-x11

🧯 If You Can't Patch

Block all RDP traffic (TCP port 3389) from untrusted networks using firewall rules
Implement network monitoring for anomalous RDP connections and packet patterns

🔍 How to Verify

Check if Vulnerable:

Run 'rdesktop --version' and check if version is 1.8.3 or earlier

Check Version:

rdesktop --version

Verify Fix Applied:

Confirm rdesktop version is 1.8.4 or later with 'rdesktop --version'

📡 Detection & Monitoring

Log Indicators:

Failed RDP connections from unknown sources
Unusual process creation after RDP sessions

Network Indicators:

Malformed RDP packets
Connection attempts with abnormal bitmap update sizes

SIEM Query:

source_port=3389 AND (packet_size>threshold OR protocol_anomaly=true)

📊 Metadata

CVE ID: CVE-2018-8795

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-680

Published: February 5, 2019

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00040.html Mailing List,Third Party Advisory
http://www.securityfocus.com/bid/106938 Third Party Advisory,VDB Entry
https://github.com/rdesktop/rdesktop/commit/4dca546d04321a610c1835010b5dad85163b65e1 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/02/msg00030.html Mailing List,Third Party Advisory
https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients/ Third Party Advisory
https://security.gentoo.org/glsa/201903-06 Third Party Advisory
https://www.debian.org/security/2019/dsa-4394 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00040.html Mailing List,Third Party Advisory
http://www.securityfocus.com/bid/106938 Third Party Advisory,VDB Entry
https://github.com/rdesktop/rdesktop/commit/4dca546d04321a610c1835010b5dad85163b65e1 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/02/msg00030.html Mailing List,Third Party Advisory
https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients/ Third Party Advisory
https://security.gentoo.org/glsa/201903-06 Third Party Advisory
https://www.debian.org/security/2019/dsa-4394 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-8795, you might also want to check these: