Mageia 2022-0383: freerdp security update | LinuxSecurity.com
MGASA-2022-0383 - Updated freerdp packages fix security vulnerability

Publication date: 23 Oct 2022
URL: https://advisories.mageia.org/MGASA-2022-0383.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2022-24882,
     CVE-2022-24883

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). In
versions prior to 2.7.0, NT LAN Manager (NTLM) authentication does not
properly abort when someone provides and empty password value. This issue
affects FreeRDP based RDP Server implementations. RDP clients are not
affected. The vulnerability is patched in FreeRDP 2.7.0. There are
currently no known workarounds. (CVE-2022-24882)

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP).
Prior to version 2.7.0, server side authentication against a 'SAM' file
might be successful for invalid credentials if the server has configured
an invalid 'SAM' file path. FreeRDP based clients are not affected. RDP
server implementations using FreeRDP to authenticate against a 'SAM' file
are affected. Version 2.7.0 contains a fix for this issue. As a
workaround, use custom authentication via 'HashCallback' and/or ensure the
'SAM' database path configured is valid and the application has file
handles left. (CVE-2022-24883)

References:
- https://bugs.mageia.org/show_bug.cgi?id=30392
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/AELSWWBAM2YONRPGLWVDY6UNTLJERJYL/
- https://ubuntu.com/security/notices/USN-5461-1
- https://lists.opensuse.org/archives/list/[email protected]/thread/3XAZEK5W555DLYFBAHQKYWZRJ4CADMBX/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24882
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24883

SRPMS:
- 8/core/freerdp-2.2.0-1.2.mga8

Mageia 2022-0383: freerdp security update

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP)

Summary

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). In versions prior to 2.7.0, NT LAN Manager (NTLM) authentication does not properly abort when someone provides and empty password value. This issue affects FreeRDP based RDP Server implementations. RDP clients are not affected. The vulnerability is patched in FreeRDP 2.7.0. There are currently no known workarounds. (CVE-2022-24882)
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to version 2.7.0, server side authentication against a 'SAM' file might be successful for invalid credentials if the server has configured an invalid 'SAM' file path. FreeRDP based clients are not affected. RDP server implementations using FreeRDP to authenticate against a 'SAM' file are affected. Version 2.7.0 contains a fix for this issue. As a workaround, use custom authentication via 'HashCallback' and/or ensure the 'SAM' database path configured is valid and the application has file handles left. (CVE-2022-24883)

References

- https://bugs.mageia.org/show_bug.cgi?id=30392

- https://lists.fedoraproject.org/archives/list/[email protected]lists.fedoraproject.org/thread/AELSWWBAM2YONRPGLWVDY6UNTLJERJYL/

- https://ubuntu.com/security/notices/USN-5461-1

- https://lists.opensuse.org/archives/list/[email protected]/thread/3XAZEK5W555DLYFBAHQKYWZRJ4CADMBX/

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24882

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24883

Resolution

MGASA-2022-0383 - Updated freerdp packages fix security vulnerability

SRPMS

- 8/core/freerdp-2.2.0-1.2.mga8

Severity
Publication date: 23 Oct 2022
URL: https://advisories.mageia.org/MGASA-2022-0383.html
Type: security
CVE: CVE-2022-24882, CVE-2022-24883

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.