Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.6855 freerdp2 security update 20 November 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: freerdp2 Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2023-39283 CVE-2022-41877 CVE-2022-39347 CVE-2022-39319 CVE-2022-39318 CVE-2022-39316 CVE-2022-39283 CVE-2022-39282 CVE-2022-24883 CVE-2021-41160 Original Bulletin: https://lists.debian.org/debian-lts-announce/2023/11/msg00010.html Comment: CVSS (Max): 9.8 CVE-2022-24883 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: NIST Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3654-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost November 17, 2023 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : freerdp2 Version : 2.3.0+dfsg1-2+deb10u4 CVE ID : CVE-2021-41160 CVE-2022-24883 CVE-2022-39282 CVE-2022-39283 CVE-2022-39316 CVE-2022-39318 CVE-2022-39319 CVE-2022-39347 CVE-2022-41877 Debian Bug : 1001062 1021659 Multiple vulnerabilties have been found in freelrdp2, a free implementation of the Remote Desktop Protocol (RDP). The vulnerabilties potentially allows authentication bypasses on configuration errors, buffer overreads, DoS vectors, buffer overflows or accessing files outside of a shared directory. CVE-2021-41160 In affected versions a malicious server might trigger out of bound writes in a connected client. Connections using GDI or SurfaceCommands to send graphics updates to the client might send `0` width/height or out of bound rectangles to trigger out of bound writes. With `0` width or heigth the memory allocation will be `0` but the missing bounds checks allow writing to the pointer at this (not allocated) region. CVE-2022-24883 Prior to version 2.7.0, server side authentication against a `SAM` file might be successful for invalid credentials if the server has configured an invalid `SAM` file path. FreeRDP based clients are not affected. RDP server implementations using FreeRDP to authenticate against a `SAM` file are affected. Version 2.7.0 contains a fix for this issue. As a workaround, use custom authentication via `HashCallback` and/or ensure the `SAM` database path configured is valid and the application has file handles left. CVE-2022-39282 FreeRDP based clients on unix systems using `/parallel` command line switch might read uninitialized data and send it to the server the client is currently connected to. FreeRDP based server implementations are not affected. CVE-2023-39283 All FreeRDP based clients when using the `/video` command line switch might read uninitialized data, decode it as audio/video and display the result. FreeRDP based server implementations are not affected. CVE-2022-39316 In affected versions there is an out of bound read in ZGFX decoder component of FreeRDP. A malicious server can trick a FreeRDP based client to read out of bound data and try to decode it likely resulting in a crash. CVE-2022-39318 Affected versions of FreeRDP are missing input validation in `urbdrc` channel. A malicious server can trick a FreeRDP based client to crash with division by zero. CVE-2022-39319 Affected versions of FreeRDP are missing input length validation in the `urbdrc` channel. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server. CVE-2022-39347 Affected versions of FreeRDP are missing path canonicalization and base path check for `drive` channel. A malicious server can trick a FreeRDP based client to read files outside the shared directory. CVE-2022-41877 Affected versions of FreeRDP are missing input length validation in `drive` channel. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server. For Debian 10 buster, these problems have been fixed in version 2.3.0+dfsg1-2+deb10u4. We recommend that you upgrade your freerdp2 packages. For the detailed security status of freerdp2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/freerdp2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZVq4pMkNZI30y1K9AQhEPg//ZOdKMG/hCpOFAh43P8JUL3PTx5Io1ukA E2kHSgv3q534Y+oBlCSJfo3iOVGnTaUeYp/5zkcSitOUOiRRRK1FQjR5EfKlwVGn WD90p/kF99MKOoACh4tAArSYxox9ZMHP03Mw/XQwWLaKUi8lnR9ag1FH3DapD5wT 5tFifCnFLHivUMuB9Rq/IKzRgMFnpF+J6vHVWz+LQRFNui0YH0giM8cMhRl+9Opx 4h+FnBrL8ay4CsealZUxA9+1e1bhDRjvADup23RfqO8CpRxaYlftFLSXrEeZl1Uv gE7EYQYn9xQ2gPHc65iwKOF+6mjcLHF58cg2GcezgwdOBC6Yw7apt0rWWCd+Y3zf 1AssLJD4PvXvSs36WiW3xPmhHJq3sq6OSiNDY9hgJ6rUbBKujGM8RxG0YoG+ky1l KJ7v9OVBX0We8Y/xrqnoABieFRrkij6g30WjerPKPJGWjqGuUz8oJL2Y68WN9hGp xVufcrfvYwet3YZ+cyeDB2xJVD+9wm1GtkMFvbcce1T38gwO2rPt5l/2FkLIcHA/ tL3CwaaNeR3YhGS0DUNbSFoXNZXRPNjyB5gCcT+QHJDAHMJdXFbvsRfPJsplgd94 tH9mTv7rQsTcsCCE9AYxE5UpF7/1Cf5JcCV3RVc72qPDmJi5rt6X0kwDxWfzLA4g YxP98mDwJWo= =imt/ -----END PGP SIGNATURE-----