The remote Ubuntu 20.04 LTS / 22.04 LTS / 23.04 / 23.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6522-1 advisory.
FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing input length validation in drive
channel. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the drive redirection channel - command line options /drive
, +drives
or +home-drive
. (CVE-2022-41877)
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license.
Affected versions are subject to an invalid offset validation leading to Out Of Bound Write. This can be triggered when the values rect->left
and rect->top
are exactly equal to surface->width
and surface->height
. eg. rect->left
== surface->width
&& rect->top
== surface->height
. In practice this should cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability. (CVE-2023-39352)
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license.
In affected versions a missing offset validation may lead to an Out Of Bound Read in the function gdi_multi_opaque_rect
. In particular there is no code to validate if the value multi_opaque_rect->numRectangles
is less than 45. Looping through multi_opaque_rect->
numRectangles without proper boundary checks can lead to Out-of-Bounds Read errors which will likely lead to a crash.
This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability. (CVE-2023-39356)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-6522-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##
include('compat.inc');
if (description)
{
script_id(186445);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/21");
script_cve_id("CVE-2022-41877", "CVE-2023-39352", "CVE-2023-39356");
script_xref(name:"USN", value:"6522-1");
script_name(english:"Ubuntu 20.04 LTS / 22.04 LTS / 23.04 / 23.10 : FreeRDP vulnerabilities (USN-6522-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 20.04 LTS / 22.04 LTS / 23.04 / 23.10 host has packages installed that are affected by multiple
vulnerabilities as referenced in the USN-6522-1 advisory.
- FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing
input length validation in `drive` channel. A malicious server can trick a FreeRDP based client to read
out of bound data and send it back to the server. This issue has been addressed in version 2.9.0 and all
users are advised to upgrade. Users unable to upgrade should not use the drive redirection channel -
command line options `/drive`, `+drives` or `+home-drive`. (CVE-2022-41877)
- FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license.
Affected versions are subject to an invalid offset validation leading to Out Of Bound Write. This can be
triggered when the values `rect->left` and `rect->top` are exactly equal to `surface->width` and
`surface->height`. eg. `rect->left` == `surface->width` && `rect->top` == `surface->height`. In practice
this should cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are
advised to upgrade. There are no known workarounds for this vulnerability. (CVE-2023-39352)
- FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license.
In affected versions a missing offset validation may lead to an Out Of Bound Read in the function
`gdi_multi_opaque_rect`. In particular there is no code to validate if the value
`multi_opaque_rect->numRectangles` is less than 45. Looping through `multi_opaque_rect->`numRectangles
without proper boundary checks can lead to Out-of-Bounds Read errors which will likely lead to a crash.
This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are
no known workarounds for this vulnerability. (CVE-2023-39356)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-6522-1");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-39352");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/11/16");
script_set_attribute(attribute:"patch_publication_date", value:"2023/11/29");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/11/29");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:20.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:22.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:23.04");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:23.10");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:freerdp2-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:freerdp2-shadow-x11");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:freerdp2-wayland");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:freerdp2-x11");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libfreerdp-client2-2");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libfreerdp-server2-2");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libfreerdp-shadow-subsystem2-2");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libfreerdp-shadow2-2");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libfreerdp2-2");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libuwac0-0");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libuwac0-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libwinpr-tools2-2");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libwinpr2-2");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libwinpr2-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:winpr-utils");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('20.04' >< os_release || '22.04' >< os_release || '23.04' >< os_release || '23.10' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 20.04 / 22.04 / 23.04 / 23.10', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var pkgs = [
{'osver': '20.04', 'pkgname': 'freerdp2-dev', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
{'osver': '20.04', 'pkgname': 'freerdp2-shadow-x11', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
{'osver': '20.04', 'pkgname': 'freerdp2-wayland', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
{'osver': '20.04', 'pkgname': 'freerdp2-x11', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
{'osver': '20.04', 'pkgname': 'libfreerdp-client2-2', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
{'osver': '20.04', 'pkgname': 'libfreerdp-server2-2', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
{'osver': '20.04', 'pkgname': 'libfreerdp-shadow-subsystem2-2', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
{'osver': '20.04', 'pkgname': 'libfreerdp-shadow2-2', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
{'osver': '20.04', 'pkgname': 'libfreerdp2-2', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
{'osver': '20.04', 'pkgname': 'libuwac0-0', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
{'osver': '20.04', 'pkgname': 'libuwac0-dev', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
{'osver': '20.04', 'pkgname': 'libwinpr-tools2-2', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
{'osver': '20.04', 'pkgname': 'libwinpr2-2', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
{'osver': '20.04', 'pkgname': 'libwinpr2-dev', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
{'osver': '20.04', 'pkgname': 'winpr-utils', 'pkgver': '2.2.0+dfsg1-0ubuntu0.20.04.6'},
{'osver': '22.04', 'pkgname': 'freerdp2-dev', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
{'osver': '22.04', 'pkgname': 'freerdp2-shadow-x11', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
{'osver': '22.04', 'pkgname': 'freerdp2-wayland', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
{'osver': '22.04', 'pkgname': 'freerdp2-x11', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
{'osver': '22.04', 'pkgname': 'libfreerdp-client2-2', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
{'osver': '22.04', 'pkgname': 'libfreerdp-server2-2', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
{'osver': '22.04', 'pkgname': 'libfreerdp-shadow-subsystem2-2', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
{'osver': '22.04', 'pkgname': 'libfreerdp-shadow2-2', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
{'osver': '22.04', 'pkgname': 'libfreerdp2-2', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
{'osver': '22.04', 'pkgname': 'libuwac0-0', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
{'osver': '22.04', 'pkgname': 'libuwac0-dev', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
{'osver': '22.04', 'pkgname': 'libwinpr-tools2-2', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
{'osver': '22.04', 'pkgname': 'libwinpr2-2', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
{'osver': '22.04', 'pkgname': 'libwinpr2-dev', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
{'osver': '22.04', 'pkgname': 'winpr-utils', 'pkgver': '2.6.1+dfsg1-3ubuntu2.5'},
{'osver': '23.04', 'pkgname': 'freerdp2-dev', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
{'osver': '23.04', 'pkgname': 'freerdp2-shadow-x11', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
{'osver': '23.04', 'pkgname': 'freerdp2-wayland', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
{'osver': '23.04', 'pkgname': 'freerdp2-x11', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
{'osver': '23.04', 'pkgname': 'libfreerdp-client2-2', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
{'osver': '23.04', 'pkgname': 'libfreerdp-server2-2', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
{'osver': '23.04', 'pkgname': 'libfreerdp-shadow-subsystem2-2', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
{'osver': '23.04', 'pkgname': 'libfreerdp-shadow2-2', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
{'osver': '23.04', 'pkgname': 'libfreerdp2-2', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
{'osver': '23.04', 'pkgname': 'libuwac0-0', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
{'osver': '23.04', 'pkgname': 'libuwac0-dev', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
{'osver': '23.04', 'pkgname': 'libwinpr-tools2-2', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
{'osver': '23.04', 'pkgname': 'libwinpr2-2', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
{'osver': '23.04', 'pkgname': 'libwinpr2-dev', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
{'osver': '23.04', 'pkgname': 'winpr-utils', 'pkgver': '2.10.0+dfsg1-1ubuntu0.3'},
{'osver': '23.10', 'pkgname': 'freerdp2-dev', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'},
{'osver': '23.10', 'pkgname': 'freerdp2-shadow-x11', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'},
{'osver': '23.10', 'pkgname': 'freerdp2-wayland', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'},
{'osver': '23.10', 'pkgname': 'freerdp2-x11', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'},
{'osver': '23.10', 'pkgname': 'libfreerdp-client2-2', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'},
{'osver': '23.10', 'pkgname': 'libfreerdp-server2-2', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'},
{'osver': '23.10', 'pkgname': 'libfreerdp-shadow-subsystem2-2', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'},
{'osver': '23.10', 'pkgname': 'libfreerdp-shadow2-2', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'},
{'osver': '23.10', 'pkgname': 'libfreerdp2-2', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'},
{'osver': '23.10', 'pkgname': 'libuwac0-0', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'},
{'osver': '23.10', 'pkgname': 'libuwac0-dev', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'},
{'osver': '23.10', 'pkgname': 'libwinpr-tools2-2', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'},
{'osver': '23.10', 'pkgname': 'libwinpr2-2', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'},
{'osver': '23.10', 'pkgname': 'libwinpr2-dev', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'},
{'osver': '23.10', 'pkgname': 'winpr-utils', 'pkgver': '2.10.0+dfsg1-1.1ubuntu1.1'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var osver = NULL;
var pkgname = NULL;
var pkgver = NULL;
if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
if (osver && pkgname && pkgver) {
if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : ubuntu_report_get()
);
exit(0);
}
else
{
var tested = ubuntu_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'freerdp2-dev / freerdp2-shadow-x11 / freerdp2-wayland / etc');
}
Vendor | Product | Version | CPE |
---|---|---|---|
canonical | ubuntu_linux | 20.04 | cpe:/o:canonical:ubuntu_linux:20.04:-:lts |
canonical | ubuntu_linux | 22.04 | cpe:/o:canonical:ubuntu_linux:22.04:-:lts |
canonical | ubuntu_linux | 23.04 | cpe:/o:canonical:ubuntu_linux:23.04 |
canonical | ubuntu_linux | 23.10 | cpe:/o:canonical:ubuntu_linux:23.10 |
canonical | ubuntu_linux | freerdp2-dev | p-cpe:/a:canonical:ubuntu_linux:freerdp2-dev |
canonical | ubuntu_linux | freerdp2-shadow-x11 | p-cpe:/a:canonical:ubuntu_linux:freerdp2-shadow-x11 |
canonical | ubuntu_linux | freerdp2-wayland | p-cpe:/a:canonical:ubuntu_linux:freerdp2-wayland |
canonical | ubuntu_linux | freerdp2-x11 | p-cpe:/a:canonical:ubuntu_linux:freerdp2-x11 |
canonical | ubuntu_linux | libfreerdp-client2-2 | p-cpe:/a:canonical:ubuntu_linux:libfreerdp-client2-2 |
canonical | ubuntu_linux | libfreerdp-server2-2 | p-cpe:/a:canonical:ubuntu_linux:libfreerdp-server2-2 |