Alerts This Week
Warning Icon 1 1,394
Alerts This Week
Warning Icon 1 1,394

Debian 11 bullseye DLA-4053-1 critical: FreeRDP2 Denial of Service

debian lts
Calendar Grey February 15, 2025
Dist Debian Esm H88
Ubuntu Security Notice USN-4918-1 covers critical vulnerabilities in freerdp2, urging users to upgrade without delay.
Multiple vulnerabilties have been found in freelrdp2, a free implementation of the Remote Desktop Protocol (RDP)

Summary

CVE-2021-41160

In affected versions a malicious server might trigger out of bound
writes in a connected client. Connections using GDI or SurfaceCommands
to send graphics updates to the client might send `0` width/height or
out of bound rectangles to trigger out of bound writes. With `0` width
or heigth the memory allocation will be `0` but the missing bounds
checks allow writing to the pointer at this (not allocated) region.

CVE-2022-24883

Prior to version 2.7.0, server side authentication against a `SAM` file
might be successful for invalid credentials if the server has configured
an invalid `SAM` file path. FreeRDP based clients are not affected. RDP
server implementations using FreeRDP to authenticate against a `SAM`
file are affected. Version 2.7.0 contains a fix for this issue. As a
workaround, use custom authentication via `HashCallback` and/or ensure
the `SAM` database path configured is valid and the application has file
handles left.

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

Package: freerdp2
Version: 2.3.0+dfsg1-2+deb11u2
CVE ID: CVE-2021-41160 CVE-2022-24883 CVE-2022-39282 CVE-2022-39283
Debian Bug: 1001062 1021659 1051638 1061173 1069728 1072112

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here