Ubuntu 20.04 LTS / 22.04 LTS / 23.04 / 23.10 : FreeRDP vulnerabilities (USN-6522-1)

2023-11-2900:00:00

www.tenable.com

ubuntu

freerdp

remote desktop protocol

security advisory

out of bound write

out of bound read

cve-2022-41877

cve-2023-39352

cve-2023-39356

6.8 Medium

AI Score

Confidence

High

JSON

The remote Ubuntu 20.04 LTS / 22.04 LTS / 23.04 / 23.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6522-1 advisory.

FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing input length validation in drive channel. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the drive redirection channel - command line options /drive, +drives or +home-drive. (CVE-2022-41877)
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license.
Affected versions are subject to an invalid offset validation leading to Out Of Bound Write. This can be triggered when the values rect->left and rect->top are exactly equal to surface->width and surface->height. eg. rect->left == surface->width && rect->top == surface->height. In practice this should cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability. (CVE-2023-39352)
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license.
In affected versions a missing offset validation may lead to an Out Of Bound Read in the function gdi_multi_opaque_rect. In particular there is no code to validate if the value multi_opaque_rect->numRectangles is less than 45. Looping through multi_opaque_rect->numRectangles without proper boundary checks can lead to Out-of-Bounds Read errors which will likely lead to a crash.
This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability. (CVE-2023-39356)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-6522-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##

include('compat.inc');

if (description)
{
  script_id(186445);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/21");

  script_cve_id("CVE-2022-41877", "CVE-2023-39352", "CVE-2023-39356");
  script_xref(name:"USN", value:"6522-1");

  script_name(english:"Ubuntu 20.04 LTS / 22.04 LTS / 23.04 / 23.10 : FreeRDP vulnerabilities (USN-6522-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 20.04 LTS / 22.04 LTS / 23.04 / 23.10 host has packages installed that are affected by multiple
vulnerabilities as referenced in the USN-6522-1 advisory.

  - FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing
    input length validation in `drive` channel. A malicious server can trick a FreeRDP based client to read
    out of bound data and send it back to the server. This issue has been addressed in version 2.9.0 and all
    users are advised to upgrade. Users unable to upgrade should not use the drive redirection channel -
    command line options `/drive`, `+drives` or `+home-drive`. (CVE-2022-41877)

  - FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license.
    Affected versions are subject to an invalid offset validation leading to Out Of Bound Write. This can be
    triggered when the values `rect->left` and `rect->top` are exactly equal to `surface->width` and
    `surface->height`. eg. `rect->left` == `surface->width` && `rect->top` == `surface->height`. In practice
    this should cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are
    advised to upgrade. There are no known workarounds for this vulnerability. (CVE-2023-39352)

  - FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license.
    In affected versions a missing offset validation may lead to an Out Of Bound Read in the function
    `gdi_multi_opaque_rect`. In particular there is no code to validate if the value
    `multi_opaque_rect->numRectangles` is less than 45. Looping through `multi_opaque_rect->`numRectangles
    without proper boundary checks can lead to Out-of-Bounds Read errors which will likely lead to a crash.
    This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are
    no known workarounds for this vulnerability. (CVE-2023-39356)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-6522-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-39352");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/11/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/11/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/11/29");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:20.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:22.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:23.04");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:23.10");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:freerdp2-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:freerdp2-shadow-x11");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:freerdp2-wayland");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:freerdp2-x11");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libfreerdp-client2-2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libfreerdp-server2-2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libfreerdp-shadow-subsystem2-2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libfreerdp-shadow2-2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libfreerdp2-2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libuwac0-0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libuwac0-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libwinpr-tools2-2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libwinpr2-2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libwinpr2-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:winpr-utils");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('20.04' >< os_release || '22.04' >< os_release || '23.04' >< os_release || '23.10' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 20.04 / 22.04 / 23.04 / 23.10', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var pkgs = [
    {'osver': '20.04', 'pkgname': 'freerdp2-dev', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
    {'osver': '20.04', 'pkgname': 'freerdp2-shadow-x11', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
    {'osver': '20.04', 'pkgname': 'freerdp2-wayland', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
    {'osver': '20.04', 'pkgname': 'freerdp2-x11', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
    {'osver': '20.04', 'pkgname': 'libfreerdp-client2-2', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
    {'osver': '20.04', 'pkgname': 'libfreerdp-server2-2', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
    {'osver': '20.04', 'pkgname': 'libfreerdp-shadow-subsystem2-2', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
    {'osver': '20.04', 'pkgname': 'libfreerdp-shadow2-2', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
    {'osver': '20.04', 'pkgname': 'libfreerdp2-2', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
    {'osver': '20.04', 'pkgname': 'libuwac0-0', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
    {'osver': '20.04', 'pkgname': 'libuwac0-dev', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
    {'osver': '20.04', 'pkgname': 'libwinpr-tools2-2', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
    {'osver': '20.04', 'pkgname': 'libwinpr2-2', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
    {'osver': '20.04', 'pkgname': 'libwinpr2-dev', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
    {'osver': '20.04', 'pkgname': 'winpr-utils', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
    {'osver': '22.04', 'pkgname': 'freerdp2-dev', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
    {'osver': '22.04', 'pkgname': 'freerdp2-shadow-x11', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
    {'osver': '22.04', 'pkgname': 'freerdp2-wayland', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
    {'osver': '22.04', 'pkgname': 'freerdp2-x11', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
    {'osver': '22.04', 'pkgname': 'libfreerdp-client2-2', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
    {'osver': '22.04', 'pkgname': 'libfreerdp-server2-2', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
    {'osver': '22.04', 'pkgname': 'libfreerdp-shadow-subsystem2-2', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
    {'osver': '22.04', 'pkgname': 'libfreerdp-shadow2-2', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
    {'osver': '22.04', 'pkgname': 'libfreerdp2-2', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
    {'osver': '22.04', 'pkgname': 'libuwac0-0', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
    {'osver': '22.04', 'pkgname': 'libuwac0-dev', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
    {'osver': '22.04', 'pkgname': 'libwinpr-tools2-2', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
    {'osver': '22.04', 'pkgname': 'libwinpr2-2', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
    {'osver': '22.04', 'pkgname': 'libwinpr2-dev', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
    {'osver': '22.04', 'pkgname': 'winpr-utils', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
    {'osver': '23.04', 'pkgname': 'freerdp2-dev', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
    {'osver': '23.04', 'pkgname': 'freerdp2-shadow-x11', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
    {'osver': '23.04', 'pkgname': 'freerdp2-wayland', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
    {'osver': '23.04', 'pkgname': 'freerdp2-x11', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
    {'osver': '23.04', 'pkgname': 'libfreerdp-client2-2', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
    {'osver': '23.04', 'pkgname': 'libfreerdp-server2-2', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
    {'osver': '23.04', 'pkgname': 'libfreerdp-shadow-subsystem2-2', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
    {'osver': '23.04', 'pkgname': 'libfreerdp-shadow2-2', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
    {'osver': '23.04', 'pkgname': 'libfreerdp2-2', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
    {'osver': '23.04', 'pkgname': 'libuwac0-0', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
    {'osver': '23.04', 'pkgname': 'libuwac0-dev', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
    {'osver': '23.04', 'pkgname': 'libwinpr-tools2-2', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
    {'osver': '23.04', 'pkgname': 'libwinpr2-2', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
    {'osver': '23.04', 'pkgname': 'libwinpr2-dev', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
    {'osver': '23.04', 'pkgname': 'winpr-utils', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
    {'osver': '23.10', 'pkgname': 'freerdp2-dev', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'},
    {'osver': '23.10', 'pkgname': 'freerdp2-shadow-x11', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'},
    {'osver': '23.10', 'pkgname': 'freerdp2-wayland', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'},
    {'osver': '23.10', 'pkgname': 'freerdp2-x11', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'},
    {'osver': '23.10', 'pkgname': 'libfreerdp-client2-2', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'},
    {'osver': '23.10', 'pkgname': 'libfreerdp-server2-2', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'},
    {'osver': '23.10', 'pkgname': 'libfreerdp-shadow-subsystem2-2', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'},
    {'osver': '23.10', 'pkgname': 'libfreerdp-shadow2-2', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'},
    {'osver': '23.10', 'pkgname': 'libfreerdp2-2', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'},
    {'osver': '23.10', 'pkgname': 'libuwac0-0', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'},
    {'osver': '23.10', 'pkgname': 'libuwac0-dev', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'},
    {'osver': '23.10', 'pkgname': 'libwinpr-tools2-2', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'},
    {'osver': '23.10', 'pkgname': 'libwinpr2-2', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'},
    {'osver': '23.10', 'pkgname': 'libwinpr2-dev', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'},
    {'osver': '23.10', 'pkgname': 'winpr-utils', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var osver = NULL;
  var pkgname = NULL;
  var pkgver = NULL;
  if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
  if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
  if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
  if (osver && pkgname && pkgver) {
    if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  var tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'freerdp2-dev / freerdp2-shadow-x11 / freerdp2-wayland / etc');
}

VendorProductVersionCPE
canonicalubuntu_linux20.04cpe:/o:canonical:ubuntu_linux:20.04:-:lts
canonicalubuntu_linux22.04cpe:/o:canonical:ubuntu_linux:22.04:-:lts
canonicalubuntu_linux23.04cpe:/o:canonical:ubuntu_linux:23.04
canonicalubuntu_linux23.10cpe:/o:canonical:ubuntu_linux:23.10
canonicalubuntu_linuxfreerdp2-devp-cpe:/a:canonical:ubuntu_linux:freerdp2-dev
canonicalubuntu_linuxfreerdp2-shadow-x11p-cpe:/a:canonical:ubuntu_linux:freerdp2-shadow-x11
canonicalubuntu_linuxfreerdp2-waylandp-cpe:/a:canonical:ubuntu_linux:freerdp2-wayland
canonicalubuntu_linuxfreerdp2-x11p-cpe:/a:canonical:ubuntu_linux:freerdp2-x11
canonicalubuntu_linuxlibfreerdp-client2-2p-cpe:/a:canonical:ubuntu_linux:libfreerdp-client2-2
canonicalubuntu_linuxlibfreerdp-server2-2p-cpe:/a:canonical:ubuntu_linux:libfreerdp-server2-2

Vendor	Product	Version	CPE
canonical	ubuntu_linux	20.04	cpe:/o:canonical:ubuntu_linux:20.04:-:lts
canonical	ubuntu_linux	22.04	cpe:/o:canonical:ubuntu_linux:22.04:-:lts
canonical	ubuntu_linux	23.04	cpe:/o:canonical:ubuntu_linux:23.04
canonical	ubuntu_linux	23.10	cpe:/o:canonical:ubuntu_linux:23.10
canonical	ubuntu_linux	freerdp2-dev	p-cpe:/a:canonical:ubuntu_linux:freerdp2-dev
canonical	ubuntu_linux	freerdp2-shadow-x11	p-cpe:/a:canonical:ubuntu_linux:freerdp2-shadow-x11
canonical	ubuntu_linux	freerdp2-wayland	p-cpe:/a:canonical:ubuntu_linux:freerdp2-wayland
canonical	ubuntu_linux	freerdp2-x11	p-cpe:/a:canonical:ubuntu_linux:freerdp2-x11
canonical	ubuntu_linux	libfreerdp-client2-2	p-cpe:/a:canonical:ubuntu_linux:libfreerdp-client2-2
canonical	ubuntu_linux	libfreerdp-server2-2	p-cpe:/a:canonical:ubuntu_linux:libfreerdp-server2-2