[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 3606-1] freerdp2 security update



-------------------------------------------------------------------------
Debian LTS Advisory DLA-3606-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Tobias Frost
October 07, 2023                              https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : freerdp2
Version        : 2.3.0+dfsg1-2+deb10u3
CVE ID         : CVE-2020-4030 CVE-2020-4031 CVE-2020-4032 CVE-2020-4033 
                 CVE-2020-11017 CVE-2020-11018 CVE-2020-11019 CVE-2020-11038 
                 CVE-2020-11039 CVE-2020-11040 CVE-2020-11041 CVE-2020-11042 
                 CVE-2020-11043 CVE-2020-11044 CVE-2020-11045 CVE-2020-11046 
                 CVE-2020-11047 CVE-2020-11048 CVE-2020-11049 CVE-2020-11058 
                 CVE-2020-11085 CVE-2020-11086 CVE-2020-11087 CVE-2020-11088 
                 CVE-2020-11089 CVE-2020-11095 CVE-2020-11096 CVE-2020-11097 
                 CVE-2020-11098 CVE-2020-11099 CVE-2020-13396 CVE-2020-13397 
                 CVE-2020-13398 CVE-2020-15103 CVE-2023-39350 CVE-2023-39351 
                 CVE-2023-39352 CVE-2023-39353 CVE-2023-39354 CVE-2023-39355 
                 CVE-2023-39356 CVE-2023-40567 CVE-2023-40181 CVE-2023-40186 
                 CVE-2023-40188 CVE-2023-40569 CVE-2023-40589
Debian Bug     : 965979 1051638

Multiple vulnerabilties have been found in freelrdp2, a free
implementation of the Remote Desktop Protocol (RDP).
The vulnerabilties potentially allows buffer overreads, buffer overflows,
interger overflows, use-after-free, DoS vectors.

CVE-2020-4030

    In FreeRDP before version 2.1.2, there is an out of bounds read in
    TrioParse. Logging might bypass string length checks due to an
    integer overflow. This is fixed in version 2.1.2.	

CVE-2020-4031

    In FreeRDP before version 2.1.2, there is a use-after-free in
    gdi_SelectObject. All FreeRDP clients using compatibility mode with
    /relax-order-checks are affected. This is fixed in version 2.1.2.

CVE-2020-4032

    In FreeRDP before version 2.1.2, there is an integer casting
    vulnerability in update_recv_secondary_order. All clients with
    +glyph-cache /relax-order-checks are affected. This is fixed in
    version 2.1.2.

CVE-2020-4033

    In FreeRDP before version 2.1.2, there is an out of bounds read in
    RLEDECOMPRESS. All FreeRDP based clients with sessions with color
    depth < 32 are affected. This is fixed in version 2.1.2.

CVE-2020-11017

    In FreeRDP less than or equal to 2.0.0, by providing manipulated
    input a malicious client can create a double free condition and
    crash the server. This is fixed in version 2.1.0.

CVE-2020-11018

    In FreeRDP less than or equal to 2.0.0, a possible resource
    exhaustion vulnerability can be performed. Malicious clients could
    trigger out of bound reads causing memory allocation with random
    size. This has been fixed in 2.1.0.

CVE-2020-11019

    In FreeRDP less than or equal to 2.0.0, when running with logger set
    to "WLOG_TRACE", a possible crash of application could occur due to
    a read of an invalid array index. Data could be printed as string to
    local terminal. This has been fixed in 2.1.0.

CVE-2020-11038

    In FreeRDP less than or equal to 2.0.0, an Integer Overflow to
    Buffer Overflow exists. When using /video redirection, a manipulated
    server can instruct the client to allocate a buffer with a smaller
    size than requested due to an integer overflow in size calculation.
    With later messages, the server can manipulate the client to write
    data out of bound to the previously allocated buffer. This has been
    patched in 2.1.0.

CVE-2020-11039

    In FreeRDP less than or equal to 2.0.0, when using a manipulated
    server with USB redirection enabled (nearly) arbitrary memory can be
    read and written due to integer overflows in length checks. This has
    been patched in 2.1.0.

CVE-2020-11040

    In FreeRDP less than or equal to 2.0.0, there is an out-of-bound
    data read from memory in clear_decompress_subcode_rlex, visualized
    on screen as color. This has been patched in 2.1.0.

CVE-2020-11041

    In FreeRDP less than or equal to 2.0.0, an outside controlled array
    index is used unchecked for data used as configuration for sound
    backend (alsa, oss, pulse, ...). The most likely outcome is a crash
    of the client instance followed by no or distorted sound or a
    session disconnect. If a user cannot upgrade to the patched version,
    a workaround is to disable sound for the session. This has been
    patched in 2.1.0.

CVE-2020-11042

    In FreeRDP greater than 1.1 and before 2.0.0, there is an
    out-of-bounds read in update_read_icon_info. It allows reading a
    attacker-defined amount of client memory (32bit unsigned -> 4GB) to
    an intermediate buffer. This can be used to crash the client or
    store information for later retrieval. This has been patched in
    2.0.0.

CVE-2020-11043

    In FreeRDP less than or equal to 2.0.0, there is an out-of-bounds
    read in rfx_process_message_tileset. Invalid data fed to RFX decoder
    results in garbage on screen (as colors). This has been patched in
    2.1.0.

CVE-2020-11044

    In FreeRDP greater than 1.2 and before 2.0.0, a double free in
    update_read_cache_bitmap_v3_order crashes the client application if
    corrupted data from a manipulated server is parsed. This has been
    patched in 2.0.0.

CVE-2020-11045

    In FreeRDP after 1.0 and before 2.0.0, there is an out-of-bound read
    in in update_read_bitmap_data that allows client memory to be read
    to an image buffer. The result displayed on screen as colour.

CVE-2020-11046

    In FreeRDP after 1.0 and before 2.0.0, there is a stream
    out-of-bounds seek in update_read_synchronize that could lead to a
    later out-of-bounds read.

CVE-2020-11047

    In FreeRDP after 1.1 and before 2.0.0, there is an out-of-bounds
    read in autodetect_recv_bandwidth_measure_results. A malicious
    server can extract up to 8 bytes of client memory with a manipulated
    message by providing a short input and reading the measurement
    result data. This has been patched in 2.0.0.

CVE-2020-11048

    In FreeRDP after 1.0 and before 2.0.0, there is an out-of-bounds
    read. It only allows to abort a session. No data extraction is
    possible. This has been fixed in 2.0.0.

CVE-2020-11049

    In FreeRDP after 1.1 and before 2.0.0, there is an out-of-bound read
    of client memory that is then passed on to the protocol parser. This
    has been patched in 2.0.0.

CVE-2020-11058

    In FreeRDP after 1.1 and before 2.0.0, a stream out-of-bounds seek
    in rdp_read_font_capability_set could lead to a later out-of-bounds
    read. As a result, a manipulated client or server might force a
    disconnect due to an invalid data read. This has been fixed in
    2.0.0.

CVE-2020-11085

    In FreeRDP before 2.1.0, there is an out-of-bounds read in
    cliprdr_read_format_list. Clipboard format data read (by client or
    server) might read data out-of-bounds. This has been fixed in 2.1.0.

CVE-2020-11086

    In FreeRDP less than or equal to 2.0.0, there is an out-of-bound
    read in ntlm_read_ntlm_v2_client_challenge that reads up to 28 bytes
    out-of-bound to an internal structure. This has been fixed in 2.1.0.

CVE-2020-11087

    In FreeRDP less than or equal to 2.0.0, there is an out-of-bound
    read in ntlm_read_AuthenticateMessage. This has been fixed in 2.1.0.

CVE-2020-11088

    In FreeRDP less than or equal to 2.0.0, there is an out-of-bound
    read in ntlm_read_NegotiateMessage. This has been fixed in 2.1.0.

CVE-2020-11089

    In FreeRDP before 2.1.0, there is an out-of-bound read in irp
    functions (parallel_process_irp_create, serial_process_irp_create,
    drive_process_irp_write, printer_process_irp_write, rdpei_recv_pdu,
    serial_process_irp_write). This has been fixed in 2.1.0.

CVE-2020-11095

    In FreeRDP before version 2.1.2, an out of bound reads occurs
    resulting in accessing a memory location that is outside of the
    boundaries of the static array PRIMARY_DRAWING_ORDER_FIELD_BYTES.
    This is fixed in version 2.1.2

CVE-2020-11096

    In FreeRDP before version 2.1.2, there is a global OOB read in
    update_read_cache_bitmap_v3_order. As a workaround, one can disable
    bitmap cache with -bitmap-cache (default). This is fixed in version
    2.1.2.

CVE-2020-11097

    In FreeRDP before version 2.1.2, an out of bounds read occurs
    resulting in accessing a memory location that is outside of the
    boundaries of the static array PRIMARY_DRAWING_ORDER_FIELD_BYTES.
    This is fixed in version 2.1.2.

CVE-2020-11098

    In FreeRDP before version 2.1.2, there is an out-of-bound read in
    glyph_cache_put. This affects all FreeRDP clients with
    `+glyph-cache` option enabled This is fixed in version 2.1.2.

CVE-2020-11099

    In FreeRDP before version 2.1.2, there is an out of bounds read in
    license_read_new_or_upgrade_license_packet. A manipulated license
    packet can lead to out of bound reads to an internal buffer. This is
    fixed in version 2.1.2.

CVE-2020-13396

    In FreeRDP before version 2.1.2, there is an out of bounds read in
    license_read_new_or_upgrade_license_packet. A manipulated license
    packet can lead to out of bound reads to an internal buffer. This is
    fixed in version 2.1.2.

CVE-2020-13397

    An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds
    (OOB) read vulnerability has been detected in security_fips_decrypt
    in libfreerdp/core/security.c due to an uninitialized value.

CVE-2020-13398

    An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds
    (OOB) write vulnerability has been detected in crypto_rsa_common in
    libfreerdp/crypto/crypto.c.

CVE-2020-15103

    In FreeRDP less than or equal to 2.1.2, an integer overflow exists
    due to missing input sanitation in rdpegfx channel. All FreeRDP
    clients are affected. The input rectangles from the server are not
    checked against local surface coordinates and blindly accepted. A
    malicious server can send data that will crash the client later on
    (invalid length arguments to a `memcpy`) This has been fixed in
    2.2.0. As a workaround, stop using command line arguments /gfx,
    /gfx-h264 and /network:auto

CVE-2023-39350

    FreeRDP is a free implementation of the Remote Desktop Protocol
    (RDP), released under the Apache license. This issue affects Clients
    only. Integer underflow leading to DOS (e.g. abort due to
    `WINPR_ASSERT` with default compilation flags). When an insufficient
    blockLen is provided, and proper length validation is not performed,
    an Integer Underflow occurs, leading to a Denial of Service (DOS)
    vulnerability. This issue has been addressed in versions 2.11.0 and
    3.0.0-beta3. Users are advised to upgrade. There are no known
    workarounds for this vulnerability. 

CVE-2023-39351

    FreeRDP is a free implementation of the Remote Desktop Protocol
    (RDP), released under the Apache license. Affected versions of
    FreeRDP are subject to a Null Pointer Dereference leading a crash in
    the RemoteFX (rfx) handling. Inside the
    `rfx_process_message_tileset` function, the program allocates tiles
    using `rfx_allocate_tiles` for the number of numTiles. If the
    initialization process of tiles is not completed for various
    reasons, tiles will have a NULL pointer. Which may be accessed in
    further processing and would cause a program crash. This issue has
    been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised
    to upgrade. There are no known workarounds for this vulnerability.

CVE-2023-39352

    FreeRDP is a free implementation of the Remote Desktop Protocol
    (RDP), released under the Apache license. Affected versions are
    subject to an invalid offset validation leading to Out Of Bound
    Write. This can be triggered when the values `rect->left` and
    `rect->top` are exactly equal to `surface->width` and
    `surface->height`. eg. `rect->left` == `surface->width` &&
    `rect->top` == `surface->height`. In practice this should cause a
    crash. This issue has been addressed in versions 2.11.0 and
    3.0.0-beta3. Users are advised to upgrade. There are no known
    workarounds for this vulnerability. 

CVE-2023-39353

    FreeRDP is a free implementation of the Remote Desktop Protocol
    (RDP), released under the Apache license. Affected versions are
    subject to a missing offset validation leading to Out Of Bound Read.
    In the `libfreerdp/codec/rfx.c` file there is no offset validation
    in `tile->quantIdxY`, `tile->quantIdxCb`, and `tile->quantIdxCr`. As
    a result crafted input can lead to an out of bounds read access
    which in turn will cause a crash. This issue has been addressed in
    versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There
    are no known workarounds for this vulnerability.

CVE-2023-39354

    FreeRDP is a free implementation of the Remote Desktop Protocol
    (RDP), released under the Apache license. Affected versions are
    subject to an Out-Of-Bounds Read in the `nsc_rle_decompress_data`
    function. The Out-Of-Bounds Read occurs because it processes
    `context->Planes` without checking if it contains data of sufficient
    length. Should an attacker be able to leverage this vulnerability
    they may be able to cause a crash. This issue has been addressed in
    versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There
    are no known workarounds for this vulnerability.

CVE-2023-39355

    FreeRDP is a free implementation of the Remote Desktop Protocol
    (RDP), released under the Apache license. Versions of FreeRDP on the
    3.x release branch before beta3 are subject to a Use-After-Free in
    processing `RDPGFX_CMDID_RESETGRAPHICS` packets. If
    `context->maxPlaneSize` is 0, `context->planesBuffer` will be freed.
    However, without updating `context->planesBuffer`, this leads to a
    Use-After-Free exploit vector. In most environments this should only
    result in a crash. This issue has been addressed in version
    3.0.0-beta3 and users of the beta 3.x releases are advised to
    upgrade. There are no known workarounds for this vulnerability.

CVE-2023-39356

    FreeRDP is a free implementation of the Remote Desktop Protocol
    (RDP), released under the Apache license. In affected versions a
    missing offset validation may lead to an Out Of Bound Read in the
    function `gdi_multi_opaque_rect`. In particular there is no code to
    validate if the value `multi_opaque_rect->numRectangles` is less
    than 45. Looping through `multi_opaque_rect->`numRectangles without
    proper boundary checks can lead to Out-of-Bounds Read errors which
    will likely lead to a crash. This issue has been addressed in
    versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There
    are no known workarounds for this vulnerability. 

CVE-2023-40567

    FreeRDP is a free implementation of the Remote Desktop Protocol
    (RDP), released under the Apache license. Affected versions are
    subject to an Out-Of-Bounds Write in the
    `clear_decompress_bands_data` function in which there is no offset
    validation. Abuse of this vulnerability may lead to an out of bounds
    write. This issue has been addressed in versions 2.11.0 and
    3.0.0-beta3. Users are advised to upgrade. there are no known
    workarounds for this vulnerability.

CVE-2023-40181

    FreeRDP is a free implementation of the Remote Desktop Protocol
    (RDP), released under the Apache license. Affected versions are
    subject to an Integer-Underflow leading to Out-Of-Bound Read in the
    `zgfx_decompress_segment` function. In the context of `CopyMemory`,
    it's possible to read data beyond the transmitted packet range and
    likely cause a crash. This issue has been addressed in versions
    2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no
    known workarounds for this issue.

CVE-2023-40186

    FreeRDP is a free implementation of the Remote Desktop Protocol
    (RDP), released under the Apache license. Affected versions are
    subject to an IntegerOverflow leading to Out-Of-Bound Write
    Vulnerability in the `gdi_CreateSurface` function. This issue
    affects FreeRDP based clients only. FreeRDP proxies are not affected
    as image decoding is not done by a proxy. This issue has been
    addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to
    upgrade. There are no known workarounds for this issue.

CVE-2023-40188

    FreeRDP is a free implementation of the Remote Desktop Protocol
    (RDP), released under the Apache license. Affected versions are
    subject to an Out-Of-Bounds Read in the `general_LumaToYUV444`
    function. This Out-Of-Bounds Read occurs because processing is done
    on the `in` variable without checking if it contains data of
    sufficient length. Insufficient data for the `in` variable may cause
    errors or crashes. This issue has been addressed in versions 2.11.0
    and 3.0.0-beta3. Users are advised to upgrade. There are no known
    workarounds for this issue.

CVE-2023-40569

    FreeRDP is a free implementation of the Remote Desktop Protocol
    (RDP), released under the Apache license. Affected versions are
    subject to an Out-Of-Bounds Write in the `progressive_decompress`
    function. This issue is likely down to incorrect calculations of the
    `nXSrc` and `nYSrc` variables. This issue has been addressed in
    versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. there
    are no known workarounds for this vulnerability.

CVE-2023-40589

    FreeRDP is a free implementation of the Remote Desktop Protocol
    (RDP), released under the Apache license. In affected versions there
    is a Global-Buffer-Overflow in the ncrush_decompress function.
    Feeding crafted input into this function can trigger the overflow
    which has only been shown to cause a crash. This issue has been
    addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to
    upgrade. There are no known workarounds for this issue.

For Debian 10 buster, these problems have been fixed in version
2.3.0+dfsg1-2+deb10u3.

We recommend that you upgrade your freerdp2 packages.

For the detailed security status of freerdp2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/freerdp2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature


Reply to: