Full Report
During a security assessment of Kaspersky USB Redirector, we discovered CVE-2025-68670: a pre-auth RCE in the xrdp server component. Project maintainers promptly patched the vulnerability.
Analysis Summary
# Vulnerability: Pre-authentication RCE in xrdp server (USB Redirector)
## CVE Details
- **CVE ID:** CVE-2025-68670
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-120 (Buffer Copy without Checking Size of Input / Buffer Overflow)
## Affected Systems
- **Products:** xrdp (specifically as bundled or used with components such as Kaspersky USB Redirector)
- **Versions:** versions prior to v0.10.2
- **Configurations:** Systems running the xrdp server component with accessibility to the network/RDP port.
## Vulnerability Description
CVE-2025-68670 is a critical buffer overflow vulnerability found in the xrdp server component. The flaw resides in the processing of incoming RDP protocol messages. Specifically, the server fails to properly validate the length of input data before copying it into a fixed-size buffer during the pre-authentication phase. An unauthenticated attacker can exploit this by sending a specially crafted sequence of RDP packets, leading to memory corruption and the execution of arbitrary code with the privileges of the xrdp process (typically `root` or `xrdp` user).
## Exploitation
- **Status:** Not currently reported as exploited in the wild; however, the vulnerability is theoretically reproducible.
- **Complexity:** Medium (Requires knowledge of RDP protocol internals for exploitation).
- **Attack Vector:** Network (Remote exploitation over the RDP port, typically TCP 3389).
## Impact
- **Confidentiality:** High (Full access to the underlying system and data).
- **Integrity:** High (The ability to modify system files and configurations).
- **Availability:** High (The flaw can be used to crash the service or take full control of the host).
## Remediation
### Patches
- **xrdp:** Update to version **v0.10.2** or later.
- **Kaspersky USB Redirector:** Users should update their installation to the latest version provided by the vendor which includes the patched xrdp component.
### Workarounds
- **Network Segmentation:** Limit access to the RDP port (3389) using firewalls to allow only trusted IP addresses.
- **VPN:** Require a VPN connection before allowing access to the RDP server.
- **Deactivation:** Disable the xrdp service if it is not strictly required for business operations.
## Detection
- **Indicators of Compromise:** Monitor for unexpected service crashes of the `xrdp` daemon or the creation of suspicious child processes by the `xrdp` user.
- **Detection Methods:**
- Utilize Intrusion Detection Systems (IDS) to flag malformed RDP handshake packets.
- Review system logs for segmentation faults associated with `xrdp`.
## References
- **Vendor Advisory (Kaspersky):** hxxps[://]securelist[.]com/cve-2025-68670/119742/
- **GitHub Repository (xrdp):** hxxps[://]github[.]com/neutrinolabs/xrdp
- **NVD (CVE-2025-68670):** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2025-68670