Understanding CVE-2025-68670: A Critical RCE Vulnerability in xrdp

This article explores CVE-2025-68670, a remote code execution vulnerability discovered in the xrdp remote desktop server during a security audit of Kaspersky USB Redirector. The flaw allowed attackers to exploit how xrdp handles client data during the RDP connection setup, leading to potential system compromise. We'll break down the discovery, technical details, and the fix implemented by the xrdp maintainers.

What is CVE-2025-68670 and why is it important?

CVE-2025-68670 is a remote code execution (RCE) vulnerability found in the xrdp server, widely used for remote desktop connections on Linux. It affects versions prior to 0.10.5, 0.9.27, and 0.10.4.1. The vulnerability specifically impacts the Secure Settings Exchange phase of RDP, where client credentials are transmitted. If exploited, an attacker could execute arbitrary code on the server, compromising sensitive data and system integrity. This is particularly critical for thin clients and environments relying on xrdp for remote access. The flaw was discovered during a security audit of Kaspersky USB Redirector, which extends xrdp's capabilities. Kaspersky reported it to the xrdp maintainers, who promptly released patches.

Understanding CVE-2025-68670: A Critical RCE Vulnerability in xrdp — Source: securelist.com

How was the vulnerability discovered?

Kaspersky's security team regularly audits their products, including Kaspersky USB Redirector—a module that provides remote USB device access over RDP. During a routine assessment of this tool's integration with xrdp, they identified a critical flaw in how the server processes client data. The audit focused on the Secure Settings Exchange stage, where the client sends an INFO_PACKET containing credentials like username, password, domain, and optional fields. Through meticulous code review, they found that buffer size checks during data conversion from UTF-16 to UTF-8 were insufficient, allowing a heap-based buffer overflow. This discovery led to the assignment of CVE-2025-68670.

Which part of xrdp is affected by CVE-2025-68670?

The vulnerability resides in the ts_info_utf16_in function within xrdp's client data processing code. During the Secure Settings Exchange, the client sends a TS_INFO_PACKET with Unicode strings (UTF-16) up to 512 bytes each. The server converts these to UTF-8 using ts_info_utf16_in, which receives the destination buffer size. However, the buffer size supplied (INFO_CLIENT_MAX_CB_LEN = 512) does not account for the potential expansion when converting from UTF-16 to UTF-8. Some Unicode characters can require up to 4 bytes in UTF-8, meaning a 512-byte UTF-16 string could become much larger. The function's overflow protection checks the source length against the destination length, but this check is insufficient because it doesn't consider the UTF-8 expansion factor, leading to a buffer overflow.

What is the root cause of the buffer overflow?

The root cause lies in the assumption that the converted UTF-8 data would not exceed the original UTF-16 size. The ts_info_utf16_in function checks if the source bytes plus 2 are within the stream, but the destination buffer capacity is passed separately. Inside, it loops converting characters, but it does not prevent writing beyond the destination when a multi-byte UTF-8 sequence is generated from a single UTF-16 code point. For example, a 2-byte UTF-16 character might become a 3- or 4-byte UTF-8 sequence. An attacker can craft malicious input where the UTF-16 strings contain characters that, when converted, overflow the fixed 512-byte buffer. This overwrites adjacent memory, potentially allowing remote code execution.

How did the xrdp maintainers respond to the report?

Kaspersky responsibly disclosed CVE-2025-68670 to the xrdp project maintainers, who acted swiftly. They released version 0.10.5 with a proper fix that recalculates the destination buffer size based on the maximum possible UTF-8 length of the input (multiplying the character count by 3 or 4, or by using a safer conversion function with explicit bounds checking). Additionally, they backported the patch to 0.9.27 and 0.10.4.1 to cover widely used stable releases. They also issued a security bulletin advising all users to upgrade immediately. The fix ensures that during UTF-16 to UTF-8 conversion, the destination buffer is never exceeded, thus preventing the overflow.

What steps should administrators take to protect their systems?

To mitigate CVE-2025-68670, administrators should immediately upgrade xrdp to version 0.10.5 or later, or to the patched versions 0.9.27 or 0.10.4.1. For those using Kaspersky USB Redirector, ensure the module is updated to a version that incorporates the patched xrdp. Additionally, practice defense-in-depth: use a firewall to restrict RDP access to trusted IPs, enable logging to detect suspicious connection attempts, and regularly review security advisories. If immediate patching is not possible, consider limiting the length of client credentials or applying network-level controls. The vulnerability highlights the importance of regular security assessments, especially for critical infrastructure components like remote desktop servers.

Tags: