TencentOS Server 3: freerdp (TSSA-2026:0266)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Tencent Linux Security Advisory TSSA-2026:0266.
##

include('compat.inc');

if (description)
{
  script_id(310961);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/29");

  script_cve_id(
    "CVE-2026-22852",
    "CVE-2026-22854",
    "CVE-2026-22856",
    "CVE-2026-23732",
    "CVE-2026-23948",
    "CVE-2026-24491",
    "CVE-2026-24675",
    "CVE-2026-24676",
    "CVE-2026-24679",
    "CVE-2026-24681",
    "CVE-2026-24683",
    "CVE-2026-24684",
    "CVE-2026-31806"
  );
  script_xref(name:"IAVA", value:"2026-A-0099-S");
  script_xref(name:"IAVA", value:"2026-A-0286");

  script_name(english:"TencentOS Server 3: freerdp (TSSA-2026:0266)");

  script_set_attribute(attribute:"synopsis", value:
"The remote TencentOS Server 3 host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is,
therefore, affected by multiple vulnerabilities as referenced in the TSSA-2026:0266 advisory.

    Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:

    CVE-2026-22852:
    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a malicious RDP server
    can trigger a heap-buffer-overflow write in the FreeRDP client when processing Audio Input (AUDIN) format
    lists. audin_process_formats reuses callback->formats_count across multiple MSG_SNDIN_FORMATS PDUs and
    writes past the newly allocated formats array, causing memory corruption and a crash. This vulnerability
    is fixed in 3.20.1.

    CVE-2026-22854:
    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap-buffer-overflow
    occurs in drive read when a server-controlled read length is used to read file data into an IRP output
    stream buffer without a hard upper bound, allowing an oversized read to overwrite heap memory. This
    vulnerability is fixed in 3.20.1.

    CVE-2026-22856:
    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race in the serial
    channel IRP thread tracking allows a heap useafterfree when one thread removes an entry from
    serial->IrpThreads while another reads it. This vulnerability is fixed in 3.20.1.

    CVE-2026-23732:
    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, FastGlyph
    parsing trusts cbData/remaining length and never validates against the minimum size implied by cx/cy. A
    malicious server can trigger a clientside global buffer overflow, causing a crash (DoS). Version 3.21.0
    contains a patch for the issue.

    CVE-2026-23948:
    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, a NULL pointer
    dereference vulnerability in rdp_write_logon_info_v2() allows a malicious RDP server to crash FreeRDP
    proxy by sending a specially crafted LogonInfoV2 PDU with cbDomain=0 or cbUserName=0. This vulnerability
    is fixed in 3.22.0.

    CVE-2026-24491:
    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, video_timer can send
    client notifications after the control channel is closed, dereferencing a freed callback and triggering a
    use after free. This vulnerability is fixed in 3.22.0.

    CVE-2026-24675:
    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, urb_select_interface can
    free the device's MS config on error but later code still dereferences it, leading to a use after free in
    libusb_udev_select_interface. This vulnerability is fixed in 3.22.0.

    CVE-2026-24676:
    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, AUDIN format
    renegotiation frees the active format list while the capture thread continues using audin->format, leading
    to a use after free in audio_format_compatible. This vulnerability is fixed in 3.22.0.

    CVE-2026-24679:
    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, The URBDRC client uses
    server-supplied interface numbers as array indices without bounds checks, causing an out-of-bounds read in
    libusb_udev_select_interface. This vulnerability is fixed in 3.22.0.

    CVE-2026-24681:
    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, aAsynchronous bulk
    transfer completions can use a freed channel callback after URBDRC channel close, leading to a use after
    free in urb_write_completion. This vulnerability is fixed in 3.22.0.

    CVE-2026-24683:
    FreeRDP is a free implementation of the Remote Desktop Protocol. ainput_send_input_event caches
    channel_callback in a local variable and later uses it without synchronization; a concurrent channel close
    can free or reinitialize the callback, leading to a use after free. Prior to 3.22.0, This vulnerability is
    fixed in 3.22.0.

    CVE-2026-24684:
    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, the RDPSND async
    playback thread can process queued PDUs after the channel is closed and internal state is freed, leading
    to a use after free in rdpsnd_treat_wave. This vulnerability is fixed in 3.22.0.

    CVE-2026-31806:
    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0,  the gdi_surface_bits()
    function processes SURFACE_BITS_COMMAND messages sent by the RDP server. When the command is handled using
    NSCodec, the bmp.width and bmp.height values provided by the server are not properly validated against the
    actual desktop dimensions. A malicious RDP server can supply crafted bmp.width and bmp.height values that
    exceed the expected surface size. Because these values are used during bitmap decoding and memory
    operations without proper bounds checking, this can lead to a heap buffer overflow. Since the attacker can
    also control the associated pixel data transmitted by the server, the overflow may be exploitable to
    overwrite adjacent heap memory. This vulnerability is fixed in 3.24.0.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://mirrors.tencent.com/tlinux/errata/tssa-20260266.xml");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:P");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-31806");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/01/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/04/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/04/29");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:tencent:tencentos_server:3");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:tencent:tencentos_server:freerdp");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tencent Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/etc/os-release", "Host/TencentOS/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'TencentOS' >!< os_product) audit(AUDIT_OS_NOT, 'TencentOS');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'TencentOS');
if (! preg(pattern:"^3([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'TencentOS 3.x', 'TencentOS ' + os_version);

if (!get_kb_item('Host/TencentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'TencentOS', cpu);

var constraints = [
  {
    'release': '3',
    'pkgs': [
      {'reference':'freerdp-2.11.7-6.tl3', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},
      {'reference':'freerdp-2.11.7-6.tl3', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},
      {'reference':'freerdp-debuginfo-2.11.7-6.tl3', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},
      {'reference':'freerdp-debuginfo-2.11.7-6.tl3', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},
      {'reference':'freerdp-debugsource-2.11.7-6.tl3', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},
      {'reference':'freerdp-debugsource-2.11.7-6.tl3', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},
      {'reference':'freerdp-devel-2.11.7-6.tl3', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},
      {'reference':'freerdp-devel-2.11.7-6.tl3', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},
      {'reference':'freerdp-libs-2.11.7-6.tl3', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},
      {'reference':'freerdp-libs-2.11.7-6.tl3', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},
      {'reference':'freerdp-libs-debuginfo-2.11.7-6.tl3', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},
      {'reference':'freerdp-libs-debuginfo-2.11.7-6.tl3', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},
      {'reference':'libwinpr-2.11.7-6.tl3', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},
      {'reference':'libwinpr-2.11.7-6.tl3', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},
      {'reference':'libwinpr-debuginfo-2.11.7-6.tl3', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},
      {'reference':'libwinpr-debuginfo-2.11.7-6.tl3', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},
      {'reference':'libwinpr-devel-2.11.7-6.tl3', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'},
      {'reference':'libwinpr-devel-2.11.7-6.tl3', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'2'}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'freerdp / freerdp-debuginfo / freerdp-debugsource / etc');
}