[SECURITY] [DLA 3654-1] freerdp2 security update

Debian LTS Advisory DLA-3654-1 [email protected]
https://www.debian.org/lts/security/ Tobias Frost
November 17, 2023 https://wiki.debian.org/LTS

Package : freerdp2
Version : 2.3.0+dfsg1-2+deb10u4
CVE ID : CVE-2021-41160 CVE-2022-24883 CVE-2022-39282 CVE-2022-39283
CVE-2022-39316 CVE-2022-39318 CVE-2022-39319 CVE-2022-39347
CVE-2022-41877

Debian Bug : 1001062 1021659

Multiple vulnerabilties have been found in freelrdp2, a free implementation of
the Remote Desktop Protocol (RDP). The vulnerabilties potentially allows
authentication bypasses on configuration errors, buffer overreads, DoS vectors,
buffer overflows or accessing files outside of a shared directory.

CVE-2021-41160

In affected versions a malicious server might trigger out of bound writes in a
connected client. Connections using GDI or SurfaceCommands to send graphics
updates to the client might send `0` width/height or out of bound rectangles to
trigger out of bound writes. With `0` width or heigth the memory allocation
will be `0` but the missing bounds checks allow writing to the pointer at this
(not allocated) region.

CVE-2022-24883

Prior to version 2.7.0, server side authentication against a `SAM` file might
be successful for invalid credentials if the server has configured an invalid
`SAM` file path. FreeRDP based clients are not affected. RDP server
implementations using FreeRDP to authenticate against a `SAM` file are
affected. Version 2.7.0 contains a fix for this issue. As a workaround, use
custom authentication via `HashCallback` and/or ensure the `SAM` database path
configured is valid and the application has file handles left.

CVE-2022-39282

FreeRDP based clients on unix systems using `/parallel` command line switch
might read uninitialized data and send it to the server the client is currently
connected to. FreeRDP based server implementations are not affected.

CVE-2023-39283

All FreeRDP based clients when using the `/video` command line switch might
read uninitialized data, decode it as audio/video and display the result.
FreeRDP based server implementations are not affected.

CVE-2022-39316

In affected versions there is an out of bound read in ZGFX decoder component of
FreeRDP. A malicious server can trick a FreeRDP based client to read out of
bound data and try to decode it likely resulting in a crash.

CVE-2022-39318

Affected versions of FreeRDP are missing input validation in `urbdrc` channel.
A malicious server can trick a FreeRDP based client to crash with division by
zero.

CVE-2022-39319

Affected versions of FreeRDP are missing input length validation in the
`urbdrc` channel. A malicious server can trick a FreeRDP based client to read
out of bound data and send it back to the server.

CVE-2022-39347

Affected versions of FreeRDP are missing path canonicalization and base path
check for `drive` channel. A malicious server can trick a FreeRDP based client
to read files outside the shared directory.

CVE-2022-41877

Affected versions of FreeRDP are missing input length validation in `drive`
channel. A malicious server can trick a FreeRDP based client to read out of
bound data and send it back to the server.

For Debian 10 buster, these problems have been fixed in version
2.3.0+dfsg1-2+deb10u4.

We recommend that you upgrade your freerdp2 packages.

For the detailed security status of freerdp2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/freerdp2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature