-------------------------------------------------------------------------
Debian LTS Advisory DLA-3654-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Tobias Frost
November 17, 2023                             https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : freerdp2
Version        : 2.3.0+dfsg1-2+deb10u4
CVE ID         : CVE-2021-41160 CVE-2022-24883 CVE-2022-39282 CVE-2022-39283
                 CVE-2022-39316 CVE-2022-39318 CVE-2022-39319 CVE-2022-39347
                 CVE-2022-41877 

Debian Bug     : 1001062 1021659

Multiple vulnerabilties have been found in freelrdp2, a free implementation of
the Remote Desktop Protocol (RDP). The vulnerabilties potentially allows 
authentication bypasses on configuration errors, buffer overreads, DoS vectors,
buffer overflows or accessing files outside of a shared directory.

CVE-2021-41160

    In affected versions a malicious server might trigger out of bound writes in a
    connected client. Connections using GDI or SurfaceCommands to send graphics
    updates to the client might send `0` width/height or out of bound rectangles to
    trigger out of bound writes. With `0` width or heigth the memory allocation
    will be `0` but the missing bounds checks allow writing to the pointer at this
    (not allocated) region.

CVE-2022-24883

    Prior to version 2.7.0, server side authentication against a `SAM` file might
    be successful for invalid credentials if the server has configured an invalid
    `SAM` file path. FreeRDP based clients are not affected. RDP server
    implementations using FreeRDP to authenticate against a `SAM` file are
    affected. Version 2.7.0 contains a fix for this issue. As a workaround, use
    custom authentication via `HashCallback` and/or ensure the `SAM` database path
    configured is valid and the application has file handles left.

CVE-2022-39282

    FreeRDP based clients on unix systems using `/parallel` command line switch
    might read uninitialized data and send it to the server the client is currently
    connected to. FreeRDP based server implementations are not affected.

CVE-2023-39283

    All FreeRDP based clients when using the `/video` command line switch might
    read uninitialized data, decode it as audio/video and display the result.
    FreeRDP based server implementations are not affected.

CVE-2022-39316

    In affected versions there is an out of bound read in ZGFX decoder component of
    FreeRDP. A malicious server can trick a FreeRDP based client to read out of
    bound data and try to decode it likely resulting in a crash.

CVE-2022-39318

    Affected versions of FreeRDP are missing input validation in `urbdrc` channel.
    A malicious server can trick a FreeRDP based client to crash with division by
    zero.

CVE-2022-39319

    Affected versions of FreeRDP are missing input length validation in the
    `urbdrc` channel. A malicious server can trick a FreeRDP based client to read
    out of bound data and send it back to the server.

CVE-2022-39347

    Affected versions of FreeRDP are missing path canonicalization and base path
    check for `drive` channel. A malicious server can trick a FreeRDP based client
    to read files outside the shared directory.

CVE-2022-41877

    Affected versions of FreeRDP are missing input length validation in `drive`
    channel. A malicious server can trick a FreeRDP based client to read out of
    bound data and send it back to the server.


For Debian 10 buster, these problems have been fixed in version
2.3.0+dfsg1-2+deb10u4.

We recommend that you upgrade your freerdp2 packages.

For the detailed security status of freerdp2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/freerdp2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Debian LTS: DLA-3654-1: freerdp2 security update

November 17, 2023
Debian Bug : 1001062 1021659 Multiple vulnerabilties have been found in freelrdp2, a free implementation of the Remote Desktop Protocol (RDP)

Summary


Multiple vulnerabilties have been found in freelrdp2, a free implementation of
the Remote Desktop Protocol (RDP). The vulnerabilties potentially allows
authentication bypasses on configuration errors, buffer overreads, DoS vectors,
buffer overflows or accessing files outside of a shared directory.

CVE-2021-41160

In affected versions a malicious server might trigger out of bound writes in a
connected client. Connections using GDI or SurfaceCommands to send graphics
updates to the client might send `0` width/height or out of bound rectangles to
trigger out of bound writes. With `0` width or heigth the memory allocation
will be `0` but the missing bounds checks allow writing to the pointer at this
(not allocated) region.

CVE-2022-24883

Prior to version 2.7.0, server side authentication against a `SAM` file might
be successful for invalid credentials if the server has configured an invalid
`SAM` file path. FreeRDP based clients are not affected. RDP server
implementations using FreeRDP to authenticate against a `SAM` file are
affected. Version 2.7.0 contains a fix for this issue. As a workaround, use
custom authentication via `HashCallback` and/or ensure the `SAM` database path
configured is valid and the application has file handles left.

CVE-2022-39282

FreeRDP based clients on unix systems using `/parallel` command line switch
might read uninitialized data and send it to the server the client is currently
connected to. FreeRDP based server implementations are not affected.

CVE-2023-39283

All FreeRDP based clients when using the `/video` command line switch might
read uninitialized data, decode it as audio/video and display the result.
FreeRDP based server implementations are not affected.

CVE-2022-39316

In affected versions there is an out of bound read in ZGFX decoder component of
FreeRDP. A malicious server can trick a FreeRDP based client to read out of
bound data and try to decode it likely resulting in a crash.

CVE-2022-39318

Affected versions of FreeRDP are missing input validation in `urbdrc` channel.
A malicious server can trick a FreeRDP based client to crash with division by
zero.

CVE-2022-39319

Affected versions of FreeRDP are missing input length validation in the
`urbdrc` channel. A malicious server can trick a FreeRDP based client to read
out of bound data and send it back to the server.

CVE-2022-39347

Affected versions of FreeRDP are missing path canonicalization and base path
check for `drive` channel. A malicious server can trick a FreeRDP based client
to read files outside the shared directory.

CVE-2022-41877

Affected versions of FreeRDP are missing input length validation in `drive`
channel. A malicious server can trick a FreeRDP based client to read out of
bound data and send it back to the server.


For Debian 10 buster, these problems have been fixed in version
2.3.0+dfsg1-2+deb10u4.

We recommend that you upgrade your freerdp2 packages.

For the detailed security status of freerdp2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/freerdp2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Severity
Package : freerdp2
Version : 2.3.0+dfsg1-2+deb10u4
CVE ID : CVE-2021-41160 CVE-2022-24883 CVE-2022-39282 CVE-2022-39283
Debian Bug : 1001062 1021659

Related News

News

Powered By

Footer Logo

Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.

Powered By

Footer Logo