Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.6855
freerdp2 security update
20 November 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: freerdp2
Publisher: Debian
Operating System: Debian GNU/Linux
Resolution: Patch/Upgrade
CVE Names: CVE-2023-39283 CVE-2022-41877 CVE-2022-39347
CVE-2022-39319 CVE-2022-39318 CVE-2022-39316
CVE-2022-39283 CVE-2022-39282 CVE-2022-24883
CVE-2021-41160
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2023/11/msg00010.html
Comment: CVSS (Max): 9.8 CVE-2022-24883 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: NIST
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3654-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
November 17, 2023 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : freerdp2
Version : 2.3.0+dfsg1-2+deb10u4
CVE ID : CVE-2021-41160 CVE-2022-24883 CVE-2022-39282 CVE-2022-39283
CVE-2022-39316 CVE-2022-39318 CVE-2022-39319 CVE-2022-39347
CVE-2022-41877
Debian Bug : 1001062 1021659
Multiple vulnerabilties have been found in freelrdp2, a free implementation of
the Remote Desktop Protocol (RDP). The vulnerabilties potentially allows
authentication bypasses on configuration errors, buffer overreads, DoS vectors,
buffer overflows or accessing files outside of a shared directory.
CVE-2021-41160
In affected versions a malicious server might trigger out of bound writes in a
connected client. Connections using GDI or SurfaceCommands to send graphics
updates to the client might send `0` width/height or out of bound rectangles to
trigger out of bound writes. With `0` width or heigth the memory allocation
will be `0` but the missing bounds checks allow writing to the pointer at this
(not allocated) region.
CVE-2022-24883
Prior to version 2.7.0, server side authentication against a `SAM` file might
be successful for invalid credentials if the server has configured an invalid
`SAM` file path. FreeRDP based clients are not affected. RDP server
implementations using FreeRDP to authenticate against a `SAM` file are
affected. Version 2.7.0 contains a fix for this issue. As a workaround, use
custom authentication via `HashCallback` and/or ensure the `SAM` database path
configured is valid and the application has file handles left.
CVE-2022-39282
FreeRDP based clients on unix systems using `/parallel` command line switch
might read uninitialized data and send it to the server the client is currently
connected to. FreeRDP based server implementations are not affected.
CVE-2023-39283
All FreeRDP based clients when using the `/video` command line switch might
read uninitialized data, decode it as audio/video and display the result.
FreeRDP based server implementations are not affected.
CVE-2022-39316
In affected versions there is an out of bound read in ZGFX decoder component of
FreeRDP. A malicious server can trick a FreeRDP based client to read out of
bound data and try to decode it likely resulting in a crash.
CVE-2022-39318
Affected versions of FreeRDP are missing input validation in `urbdrc` channel.
A malicious server can trick a FreeRDP based client to crash with division by
zero.
CVE-2022-39319
Affected versions of FreeRDP are missing input length validation in the
`urbdrc` channel. A malicious server can trick a FreeRDP based client to read
out of bound data and send it back to the server.
CVE-2022-39347
Affected versions of FreeRDP are missing path canonicalization and base path
check for `drive` channel. A malicious server can trick a FreeRDP based client
to read files outside the shared directory.
CVE-2022-41877
Affected versions of FreeRDP are missing input length validation in `drive`
channel. A malicious server can trick a FreeRDP based client to read out of
bound data and send it back to the server.
For Debian 10 buster, these problems have been fixed in version
2.3.0+dfsg1-2+deb10u4.
We recommend that you upgrade your freerdp2 packages.
For the detailed security status of freerdp2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/freerdp2
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZVq4pMkNZI30y1K9AQhEPg//ZOdKMG/hCpOFAh43P8JUL3PTx5Io1ukA
E2kHSgv3q534Y+oBlCSJfo3iOVGnTaUeYp/5zkcSitOUOiRRRK1FQjR5EfKlwVGn
WD90p/kF99MKOoACh4tAArSYxox9ZMHP03Mw/XQwWLaKUi8lnR9ag1FH3DapD5wT
5tFifCnFLHivUMuB9Rq/IKzRgMFnpF+J6vHVWz+LQRFNui0YH0giM8cMhRl+9Opx
4h+FnBrL8ay4CsealZUxA9+1e1bhDRjvADup23RfqO8CpRxaYlftFLSXrEeZl1Uv
gE7EYQYn9xQ2gPHc65iwKOF+6mjcLHF58cg2GcezgwdOBC6Yw7apt0rWWCd+Y3zf
1AssLJD4PvXvSs36WiW3xPmhHJq3sq6OSiNDY9hgJ6rUbBKujGM8RxG0YoG+ky1l
KJ7v9OVBX0We8Y/xrqnoABieFRrkij6g30WjerPKPJGWjqGuUz8oJL2Y68WN9hGp
xVufcrfvYwet3YZ+cyeDB2xJVD+9wm1GtkMFvbcce1T38gwO2rPt5l/2FkLIcHA/
tL3CwaaNeR3YhGS0DUNbSFoXNZXRPNjyB5gCcT+QHJDAHMJdXFbvsRfPJsplgd94
tH9mTv7rQsTcsCCE9AYxE5UpF7/1Cf5JcCV3RVc72qPDmJi5rt6X0kwDxWfzLA4g
YxP98mDwJWo=
=imt/
-----END PGP SIGNATURE-----