ID OPENVAS:1361412562310873198 Type openvas Reporter Copyright (C) 2017 Greenbone Networks GmbH Modified 2019-03-15T00:00:00
Description
The remote host is missing an update for the
###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_fedora_2017_4bc09c2364_remmina_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $
#
# Fedora Update for remmina FEDORA-2017-4bc09c2364
#
# Authors:
# System Generated Check
#
# Copyright:
# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.873198");
script_version("$Revision: 14223 $");
script_tag(name:"last_modification", value:"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $");
script_tag(name:"creation_date", value:"2017-08-04 12:46:57 +0530 (Fri, 04 Aug 2017)");
script_cve_id("CVE-2017-2836", "CVE-2017-2837", "CVE-2017-2838", "CVE-2017-2839",
"CVE-2017-2835", "CVE-2017-2834");
script_tag(name:"cvss_base", value:"6.8");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_tag(name:"qod_type", value:"package");
script_name("Fedora Update for remmina FEDORA-2017-4bc09c2364");
script_tag(name:"summary", value:"The remote host is missing an update for the 'remmina'
package(s) announced via the referenced advisory.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
script_tag(name:"affected", value:"remmina on Fedora 26");
script_tag(name:"solution", value:"Please install the updated package(s).");
script_xref(name:"FEDORA", value:"2017-4bc09c2364");
script_xref(name:"URL", value:"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YO2U577L6Q7PHBNVQ3ZL2VARNKYZBSYL");
script_tag(name:"solution_type", value:"VendorFix");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2017 Greenbone Networks GmbH");
script_family("Fedora Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/fedora", "ssh/login/rpms", re:"ssh/login/release=FC26");
exit(0);
}
include("revisions-lib.inc");
include("pkg-lib-rpm.inc");
release = rpm_get_ssh_release();
if(!release)
exit(0);
res = "";
if(release == "FC26")
{
if ((res = isrpmvuln(pkg:"remmina", rpm:"remmina~1.2.0~0.39.20170724git0387ee0.fc26", rls:"FC26")) != NULL)
{
security_message(data:res);
exit(0);
}
if (__pkg_match) exit(99);
exit(0);
}
{"id": "OPENVAS:1361412562310873198", "type": "openvas", "bulletinFamily": "scanner", "title": "Fedora Update for remmina FEDORA-2017-4bc09c2364", "description": "The remote host is missing an update for the ", "published": "2017-08-04T00:00:00", "modified": "2019-03-15T00:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873198", "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "references": ["2017-4bc09c2364", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YO2U577L6Q7PHBNVQ3ZL2VARNKYZBSYL"], "cvelist": ["CVE-2017-2836", "CVE-2017-2839", "CVE-2017-2837", "CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2838"], "lastseen": "2019-05-29T18:34:07", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562311220192580", "OPENVAS:1361412562311220192455", "OPENVAS:1361412562310843272", "OPENVAS:1361412562310851604", "OPENVAS:1361412562310703923", "OPENVAS:1361412562310873228", "OPENVAS:1361412562310873225", "OPENVAS:1361412562310891095", "OPENVAS:1361412562310873201", "OPENVAS:703923"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1095-1:40D3E", "DEBIAN:DSA-3923-1:84A9F"]}, {"type": "talosblog", "idList": ["TALOSBLOG:746AACB1133922672990FF432D5A9992"]}, {"type": "suse", "idList": ["SUSE-SU-2017:2234-1", "OPENSUSE-SU-2017:2332-1"]}, {"type": "fedora", "idList": ["FEDORA:0C58360C37F3", "FEDORA:2DACF605F91C", "FEDORA:360EB601CEE3", "FEDORA:664F6601DD9B"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-3923.NASL", "OPENSUSE-2017-992.NASL", "FEDORA_2017-4BC09C2364.NASL", "UBUNTU_USN-3380-1.NASL", "SUSE_SU-2017-2234-1.NASL", "EULEROS_SA-2019-2455.NASL", "DEBIAN_DLA-1095.NASL", "EULEROS_SA-2019-2580.NASL", "FEDORA_2017-ED31E1F941.NASL"]}, {"type": "cve", "idList": ["CVE-2017-2839", "CVE-2017-2836", "CVE-2017-2834", "CVE-2017-2838", "CVE-2017-2835", "CVE-2017-2837"]}, {"type": "ubuntu", "idList": ["USN-3380-1"]}, {"type": "seebug", "idList": ["SSV:96456", "SSV:96458", "SSV:96460", "SSV:96457", "SSV:96461", "SSV:96459"]}, {"type": "talos", "idList": ["TALOS-2017-0341", "TALOS-2017-0339", "TALOS-2017-0340", "TALOS-2017-0337", "TALOS-2017-0338", "TALOS-2017-0336"]}], "modified": "2019-05-29T18:34:07", "rev": 2}, "score": {"value": 6.2, "vector": "NONE", "modified": "2019-05-29T18:34:07", "rev": 2}, "vulnersScore": 6.2}, "pluginID": "1361412562310873198", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_4bc09c2364_remmina_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for remmina FEDORA-2017-4bc09c2364\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873198\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-04 12:46:57 +0530 (Fri, 04 Aug 2017)\");\n script_cve_id(\"CVE-2017-2836\", \"CVE-2017-2837\", \"CVE-2017-2838\", \"CVE-2017-2839\",\n \"CVE-2017-2835\", \"CVE-2017-2834\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for remmina FEDORA-2017-4bc09c2364\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'remmina'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"remmina on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-4bc09c2364\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YO2U577L6Q7PHBNVQ3ZL2VARNKYZBSYL\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"remmina\", rpm:\"remmina~1.2.0~0.39.20170724git0387ee0.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "naslFamily": "Fedora Local Security Checks"}
{"openvas": [{"lastseen": "2019-05-29T18:34:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2836", "CVE-2017-2839", "CVE-2017-2837", "CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2838"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-08-04T00:00:00", "id": "OPENVAS:1361412562310873201", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873201", "type": "openvas", "title": "Fedora Update for freerdp FEDORA-2017-4bc09c2364", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_4bc09c2364_freerdp_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for freerdp FEDORA-2017-4bc09c2364\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873201\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-04 12:46:39 +0530 (Fri, 04 Aug 2017)\");\n script_cve_id(\"CVE-2017-2836\", \"CVE-2017-2837\", \"CVE-2017-2838\", \"CVE-2017-2839\",\n \"CVE-2017-2835\", \"CVE-2017-2834\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for freerdp FEDORA-2017-4bc09c2364\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'freerdp'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"freerdp on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-4bc09c2364\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JNO6AUPEMWZQNGI7PEVPRUZD3OFNCQ4R\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"freerdp\", rpm:\"freerdp~2.0.0~31.20170724gitf8c9f43.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2836", "CVE-2017-2839", "CVE-2017-2837", "CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2838"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-08-08T00:00:00", "id": "OPENVAS:1361412562310873228", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873228", "type": "openvas", "title": "Fedora Update for remmina FEDORA-2017-ed31e1f941", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_ed31e1f941_remmina_fc25.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for remmina FEDORA-2017-ed31e1f941\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873228\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-08 07:37:08 +0200 (Tue, 08 Aug 2017)\");\n script_cve_id(\"CVE-2017-2836\", \"CVE-2017-2837\", \"CVE-2017-2838\", \"CVE-2017-2839\",\n \"CVE-2017-2835\", \"CVE-2017-2834\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for remmina FEDORA-2017-ed31e1f941\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'remmina'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"remmina on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-ed31e1f941\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GFS76PWXKNQOPXHRXM2C5Y7GBFFYUMO4\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"remmina\", rpm:\"remmina~1.2.0~0.39.20170724git0387ee0.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-31T18:27:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2836", "CVE-2017-2839", "CVE-2017-2837", "CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2838"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2017-09-03T00:00:00", "id": "OPENVAS:1361412562310851604", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851604", "type": "openvas", "title": "openSUSE: Security Advisory for freerdp (openSUSE-SU-2017:2332-1)", "sourceData": "# Copyright (C) 2017 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851604\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-09-03 07:18:44 +0200 (Sun, 03 Sep 2017)\");\n script_cve_id(\"CVE-2017-2834\", \"CVE-2017-2835\", \"CVE-2017-2836\", \"CVE-2017-2837\",\n \"CVE-2017-2838\", \"CVE-2017-2839\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for freerdp (openSUSE-SU-2017:2332-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'freerdp'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for freerdp fixes the following issues:\n\n - CVE-2017-2834: Out-of-bounds write in license_recv() (bsc#1050714)\n\n - CVE-2017-2835: Out-of-bounds write in rdp_recv_tpkt_pdu (bsc#1050712)\n\n - CVE-2017-2836: Rdp Client Read Server Proprietary Certificate Denial of\n Service (bsc#1050699)\n\n - CVE-2017-2837: Client GCC Read Server Security Data DoS (bsc#1050704)\n\n - CVE-2017-2838: Client License Read Product Info Denial of Service\n Vulnerability (bsc#1050708)\n\n - CVE-2017-2839: Client License Read Challenge Packet Denial of Service\n (bsc#1050711)\n\n This update was imported from the SUSE:SLE-12-SP2:Update update project.\");\n\n script_tag(name:\"affected\", value:\"freerdp on openSUSE Leap 42.3, openSUSE Leap 42.2\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2017:2332-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=(openSUSELeap42\\.2|openSUSELeap42\\.3)\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.2\") {\n if(!isnull(res = isrpmvuln(pkg:\"freerdp\", rpm:\"freerdp~2.0.0~git.1463131968.4e66df7~3.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"freerdp-debuginfo\", rpm:\"freerdp-debuginfo~2.0.0~git.1463131968.4e66df7~3.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"freerdp-debugsource\", rpm:\"freerdp-debugsource~2.0.0~git.1463131968.4e66df7~3.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"freerdp-devel\", rpm:\"freerdp-devel~2.0.0~git.1463131968.4e66df7~3.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libfreerdp2\", rpm:\"libfreerdp2~2.0.0~git.1463131968.4e66df7~3.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libfreerdp2-debuginfo\", rpm:\"libfreerdp2-debuginfo~2.0.0~git.1463131968.4e66df7~3.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"openSUSELeap42.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"freerdp\", rpm:\"freerdp~2.0.0~git.1463131968.4e66df7~6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"freerdp-debuginfo\", rpm:\"freerdp-debuginfo~2.0.0~git.1463131968.4e66df7~6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"freerdp-debugsource\", rpm:\"freerdp-debugsource~2.0.0~git.1463131968.4e66df7~6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"freerdp-devel\", rpm:\"freerdp-devel~2.0.0~git.1463131968.4e66df7~6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libfreerdp2\", rpm:\"libfreerdp2~2.0.0~git.1463131968.4e66df7~6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libfreerdp2-debuginfo\", rpm:\"libfreerdp2-debuginfo~2.0.0~git.1463131968.4e66df7~6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2836", "CVE-2017-2839", "CVE-2017-2837", "CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2838"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-08-08T00:00:00", "id": "OPENVAS:1361412562310873225", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873225", "type": "openvas", "title": "Fedora Update for freerdp FEDORA-2017-ed31e1f941", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_ed31e1f941_freerdp_fc25.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for freerdp FEDORA-2017-ed31e1f941\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873225\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-08 07:36:21 +0200 (Tue, 08 Aug 2017)\");\n script_cve_id(\"CVE-2017-2836\", \"CVE-2017-2837\", \"CVE-2017-2838\", \"CVE-2017-2839\",\n \"CVE-2017-2835\", \"CVE-2017-2834\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for freerdp FEDORA-2017-ed31e1f941\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'freerdp'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"freerdp on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-ed31e1f941\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JUJDOXW3GPYZOIAITVUF5GBUYCFQMLNP\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"freerdp\", rpm:\"freerdp~2.0.0~31.20170724gitf8c9f43.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2836", "CVE-2017-2839", "CVE-2017-2837", "CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2838"], "description": "Tyler Bohan of Talos discovered that FreeRDP, a free implementation of\nthe Remote Desktop Protocol (RDP), contained several vulnerabilities\nthat allowed a malicious remote server or a man-in-the-middle to\neither cause a DoS by forcibly terminating the client, or execute\narbitrary code on the client side.", "modified": "2019-03-18T00:00:00", "published": "2017-08-01T00:00:00", "id": "OPENVAS:1361412562310703923", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703923", "type": "openvas", "title": "Debian Security Advisory DSA 3923-1 (freerdp - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3923.nasl 14275 2019-03-18 14:39:45Z cfischer $\n# Auto-generated from advisory DSA 3923-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703923\");\n script_version(\"$Revision: 14275 $\");\n script_cve_id(\"CVE-2017-2834\", \"CVE-2017-2835\", \"CVE-2017-2836\", \"CVE-2017-2837\", \"CVE-2017-2838\", \"CVE-2017-2839\");\n script_name(\"Debian Security Advisory DSA 3923-1 (freerdp - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:39:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-01 00:00:00 +0200 (Tue, 01 Aug 2017)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2017/dsa-3923.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(9|8)\");\n script_tag(name:\"affected\", value:\"freerdp on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (jessie), these problems have been fixed\nin version 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.1.0~git20140921.1.440916e+dfsg1-14.\n\nWe recommend that you upgrade your freerdp packages.\");\n script_tag(name:\"summary\", value:\"Tyler Bohan of Talos discovered that FreeRDP, a free implementation of\nthe Remote Desktop Protocol (RDP), contained several vulnerabilities\nthat allowed a malicious remote server or a man-in-the-middle to\neither cause a DoS by forcibly terminating the client, or execute\narbitrary code on the client side.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"freerdp-x11\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"freerdp-x11-dbg\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-cache1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-client1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-codec1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-common1.1.0\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-core1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-crypto1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-dbg\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-dev\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-gdi1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-locale1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-plugins-standard\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-plugins-standard-dbg\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-primitives1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-rail1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-utils1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-asn1-0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-bcrypt0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-credentials0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-credui0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-crt0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-crypto0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-dbg\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-dev\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-dsparse0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-environment0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-error0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-file0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-handle0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-heap0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-input0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-interlocked0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-io0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-library0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-path0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-pipe0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-pool0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-registry0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-rpc0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-sspi0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-sspicli0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-synch0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-sysinfo0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-thread0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-timezone0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-utils0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-winhttp0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-winsock0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libxfreerdp-client-dbg\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libxfreerdp-client1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"freerdp-x11\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"freerdp-x11-dbg\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-cache1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-client1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-codec1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-common1.1.0\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-core1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-crypto1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-dbg\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-dev\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-gdi1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-locale1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-plugins-standard\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-plugins-standard-dbg\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-primitives1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-rail1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libfreerdp-utils1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-asn1-0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-bcrypt0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-credentials0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-credui0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-crt0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-crypto0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-dbg\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-dev\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-dsparse0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-environment0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-error0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-file0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-handle0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-heap0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-input0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-interlocked0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-io0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-library0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-path0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-pipe0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-pool0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-registry0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-rpc0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-sspi0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-sspicli0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-synch0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-sysinfo0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-thread0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-timezone0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-utils0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-winhttp0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libwinpr-winsock0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libxfreerdp-client-dbg\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libxfreerdp-client1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-08-17T11:28:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2836", "CVE-2017-2839", "CVE-2017-2837", "CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2838"], "description": "Tyler Bohan of Talos discovered that FreeRDP, a free implementation of\nthe Remote Desktop Protocol (RDP), contained several vulnerabilities\nthat allowed a malicious remote server or a man-in-the-middle to\neither cause a DoS by forcibly terminating the client, or execute\narbitrary code on the client side.", "modified": "2017-08-02T00:00:00", "published": "2017-08-01T00:00:00", "id": "OPENVAS:703923", "href": "http://plugins.openvas.org/nasl.php?oid=703923", "type": "openvas", "title": "Debian Security Advisory DSA 3923-1 (freerdp - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3923.nasl 6835 2017-08-02 12:55:28Z cfischer $\n# Auto-generated from advisory DSA 3923-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703923);\n script_version(\"$Revision: 6835 $\");\n script_cve_id(\"CVE-2017-2834\", \"CVE-2017-2835\", \"CVE-2017-2836\", \"CVE-2017-2837\", \"CVE-2017-2838\", \"CVE-2017-2839\");\n script_name(\"Debian Security Advisory DSA 3923-1 (freerdp - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-08-02 14:55:28 +0200 (Wed, 02 Aug 2017) $\");\n script_tag(name: \"creation_date\", value: \"2017-08-01 00:00:00 +0200 (Tue, 01 Aug 2017)\");\n script_tag(name: \"cvss_base\", value: \"10.0\");\n script_tag(name: \"cvss_base_vector\", value: \"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2017/dsa-3923.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"freerdp on Debian Linux\");\n script_tag(name: \"solution\", value: \"For the oldstable distribution (jessie), these problems have been fixed\nin version 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.1.0~git20140921.1.440916e+dfsg1-14.\n\nWe recommend that you upgrade your freerdp packages.\");\n script_tag(name: \"summary\", value: \"Tyler Bohan of Talos discovered that FreeRDP, a free implementation of\nthe Remote Desktop Protocol (RDP), contained several vulnerabilities\nthat allowed a malicious remote server or a man-in-the-middle to\neither cause a DoS by forcibly terminating the client, or execute\narbitrary code on the client side.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"freerdp-x11\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"freerdp-x11-dbg\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-cache1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-client1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-codec1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-common1.1.0\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-core1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-crypto1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-dbg\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-dev\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-gdi1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-locale1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-plugins-standard\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-plugins-standard-dbg\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-primitives1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-rail1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-utils1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-asn1-0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-bcrypt0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-credentials0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-credui0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-crt0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-crypto0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-dbg\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-dev\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-dsparse0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-environment0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-error0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-file0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-handle0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-heap0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-input0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-interlocked0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-io0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-library0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-path0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-pipe0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-pool0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-registry0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-rpc0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-sspi0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-sspicli0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-synch0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-sysinfo0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-thread0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-timezone0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-utils0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-winhttp0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-winsock0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxfreerdp-client-dbg\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxfreerdp-client1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"freerdp-x11\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"freerdp-x11-dbg\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-cache1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-client1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-codec1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-common1.1.0\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-core1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-crypto1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-dbg\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-dev\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-gdi1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-locale1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-plugins-standard\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-plugins-standard-dbg\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-primitives1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-rail1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libfreerdp-utils1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-asn1-0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-bcrypt0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-credentials0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-credui0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-crt0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-crypto0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-dbg\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-dev\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-dsparse0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-environment0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-error0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-file0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-handle0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-heap0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-input0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-interlocked0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-io0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-library0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-path0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-pipe0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-pool0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-registry0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-rpc0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-sspi0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-sspicli0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-synch0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-sysinfo0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-thread0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-timezone0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-utils0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-winhttp0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwinpr-winsock0.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxfreerdp-client-dbg\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxfreerdp-client1.1\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-01-29T20:07:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2836", "CVE-2017-2839", "CVE-2017-2837", "CVE-2017-2835", "CVE-2017-2838"], "description": "Tyler Bohan of Talos discovered that FreeRDP, a free implementation of\nthe Remote Desktop Protocol (RDP), contained several vulnerabilities\nthat allowed a malicious remote server or a man-in-the-middle to\neither cause a DoS by forcibly terminating the client, or execute\narbitrary code on the client side.", "modified": "2020-01-29T00:00:00", "published": "2018-02-07T00:00:00", "id": "OPENVAS:1361412562310891095", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891095", "type": "openvas", "title": "Debian LTS: Security Advisory for freerdp (DLA-1095-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891095\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2017-2835\", \"CVE-2017-2836\", \"CVE-2017-2837\", \"CVE-2017-2838\", \"CVE-2017-2839\");\n script_name(\"Debian LTS: Security Advisory for freerdp (DLA-1095-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-02-07 00:00:00 +0100 (Wed, 07 Feb 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2017/09/msg00012.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"freerdp on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n1.0.1-1.1+deb7u4.\n\nWe recommend that you upgrade your freerdp packages.\");\n\n script_tag(name:\"summary\", value:\"Tyler Bohan of Talos discovered that FreeRDP, a free implementation of\nthe Remote Desktop Protocol (RDP), contained several vulnerabilities\nthat allowed a malicious remote server or a man-in-the-middle to\neither cause a DoS by forcibly terminating the client, or execute\narbitrary code on the client side.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"freerdp-dbg\", ver:\"1.0.1-1.1+deb7u4\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"freerdp-x11\", ver:\"1.0.1-1.1+deb7u4\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libfreerdp-dev\", ver:\"1.0.1-1.1+deb7u4\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libfreerdp-plugins-standard\", ver:\"1.0.1-1.1+deb7u4\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libfreerdp1\", ver:\"1.0.1-1.1+deb7u4\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:30", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2836", "CVE-2017-2839", "CVE-2014-0791", "CVE-2017-2837", "CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2838", "CVE-2014-0250"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-08-08T00:00:00", "id": "OPENVAS:1361412562310843272", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843272", "type": "openvas", "title": "Ubuntu Update for freerdp USN-3380-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3380_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for freerdp USN-3380-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843272\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-08 07:19:43 +0200 (Tue, 08 Aug 2017)\");\n script_cve_id(\"CVE-2014-0250\", \"CVE-2014-0791\", \"CVE-2017-2834\", \"CVE-2017-2835\",\n \"CVE-2017-2836\", \"CVE-2017-2837\", \"CVE-2017-2838\", \"CVE-2017-2839\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for freerdp USN-3380-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'freerdp'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that FreeRDP incorrectly\n handled certain width and height values. A malicious server could use this issue\n to cause FreeRDP to crash, resulting in a denial of service, or possibly execute\n arbitrary code. This issue only applied to Ubuntu 14.04 LTS. (CVE-2014-0250) It\n was discovered that FreeRDP incorrectly handled certain values in a Scope List.\n A malicious server could use this issue to cause FreeRDP to crash, resulting in\n a denial of service, or possibly execute arbitrary code. (CVE-2014-0791) Tyler\n Bohan discovered that FreeRDP incorrectly handled certain length values. A\n malicious server could use this issue to cause FreeRDP to crash, resulting in a\n denial of service, or possibly execute arbitrary code. (CVE-2017-2834,\n CVE-2017-2835) Tyler Bohan discovered that FreeRDP incorrectly handled certain\n packets. A malicious server could possibly use this issue to cause FreeRDP to\n crash, resulting in a denial of service. (CVE-2017-2836, CVE-2017-2837,\n CVE-2017-2838, CVE-2017-2839)\");\n script_tag(name:\"affected\", value:\"freerdp on Ubuntu 17.04,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3380-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3380-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|17\\.04|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libfreerdp1:i386\", ver:\"1.0.2-2ubuntu1.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libfreerdp1:amd64\", ver:\"1.0.2-2ubuntu1.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU17.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libfreerdp-client1.1:i386\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-10ubuntu1.1\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libfreerdp-client1.1:amd64\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-10ubuntu1.1\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libfreerdp-client1.1:i386\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-5ubuntu1.2\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libfreerdp-client1.1:amd64\", ver:\"1.1.0~git20140921.1.440916e+dfsg1-5ubuntu1.2\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:36:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2836", "CVE-2017-2839", "CVE-2014-0791", "CVE-2017-2837", "CVE-2017-2835", "CVE-2017-2838", "CVE-2018-1000852", "CVE-2014-0250"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220192580", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220192580", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for freerdp (EulerOS-SA-2019-2580)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.2580\");\n script_version(\"2020-01-23T13:07:16+0000\");\n script_cve_id(\"CVE-2014-0250\", \"CVE-2014-0791\", \"CVE-2017-2835\", \"CVE-2017-2836\", \"CVE-2017-2837\", \"CVE-2017-2838\", \"CVE-2017-2839\", \"CVE-2018-1000852\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 13:07:16 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 13:07:16 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for freerdp (EulerOS-SA-2019-2580)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP3\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-2580\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2580\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'freerdp' package(s) announced via the EulerOS-SA-2019-2580 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"An exploitable code execution vulnerability exists in the RDP receive functionality of FreeRDP 2.0.0-beta1+android11. A specially crafted server response can cause an out-of-bounds write resulting in an exploitable condition. An attacker can compromise the server or use a man in the middle to trigger this vulnerability.(CVE-2017-2835)\n\nAn exploitable denial of service vulnerability exists within the handling of challenge packets in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.(CVE-2017-2838)\n\nAn exploitable denial of service vulnerability exists within the handling of challenge packets in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.(CVE-2017-2839)\n\nAn exploitable denial of service vulnerability exists within the handling of security data in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.(CVE-2017-2837)\n\nAn exploitable denial of service vulnerability exists within the reading of proprietary server certificates in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.(CVE-2017-2836)\n\nFreeRDP FreeRDP 2.0.0-rc3 released version before commit 205c612820dac644d665b5bb1cdf437dc5ca01e3 contains a Other/Unknown vulnerability in channels/drdynvc/client/drdynvc_main.c, drdynvc_process_capability_request that can result in The RDP server can read the client's memory.. This attack appear to be exploitable via RDPClient must connect the rdp server with echo option. This vulnerability appears to have been fixed in after commit 205c612820dac644d665b5bb1cdf437dc5ca01e3.(CVE-2018-1000852)\n\nInteger overflow in the license_read_scope_list function in libfreerdp/core/license.c in FreeRDP through 1.0.2 allows remote RDP servers to cause a denial of service (application crash) or possibly have unspecified other impact via a large ScopeCount value in a Scope List in a Server License Request packet.(CVE-2014-0791)\n\nMultiple integer overflows in client/X11/xf_graphics.c i ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'freerdp' package(s) on Huawei EulerOS V2.0SP3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP3\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"freerdp\", rpm:\"freerdp~1.0.2~6.1.h4\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"freerdp-libs\", rpm:\"freerdp-libs~1.0.2~6.1.h4\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"freerdp-plugins\", rpm:\"freerdp-plugins~1.0.2~6.1.h4\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:38:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4118", "CVE-2017-2836", "CVE-2017-2839", "CVE-2014-0791", "CVE-2017-2837", "CVE-2017-2835", "CVE-2017-2838", "CVE-2018-1000852", "CVE-2013-4119", "CVE-2014-0250"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220192455", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220192455", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for freerdp (EulerOS-SA-2019-2455)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.2455\");\n script_version(\"2020-01-23T12:59:10+0000\");\n script_cve_id(\"CVE-2013-4118\", \"CVE-2013-4119\", \"CVE-2014-0250\", \"CVE-2014-0791\", \"CVE-2017-2835\", \"CVE-2017-2836\", \"CVE-2017-2837\", \"CVE-2017-2838\", \"CVE-2017-2839\", \"CVE-2018-1000852\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 12:59:10 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:59:10 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for freerdp (EulerOS-SA-2019-2455)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-2455\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2455\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'freerdp' package(s) announced via the EulerOS-SA-2019-2455 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"FreeRDP before 1.1.0-beta+2013071101 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by disconnecting before authentication has finished.(CVE-2013-4119)\n\nFreeRDP FreeRDP 2.0.0-rc3 released version before commit 205c612820dac644d665b5bb1cdf437dc5ca01e3 contains a Other/Unknown vulnerability in channels/drdynvc/client/drdynvc_main.c, drdynvc_process_capability_request that can result in The RDP server can read the client's memory.. This attack appear to be exploitable via RDPClient must connect the rdp server with echo option. This vulnerability appears to have been fixed in after commit 205c612820dac644d665b5bb1cdf437dc5ca01e3.(CVE-2018-1000852)\n\nFreeRDP before 1.1.0-beta1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via unspecified vectors.(CVE-2013-4118)\n\nMultiple integer overflows in client/X11/xf_graphics.c in FreeRDP allow remote attackers to have an unspecified impact via the width and height to the (1) xf_Pointer_New or (2) xf_Bitmap_Decompress function, which causes an incorrect amount of memory to be allocated.(CVE-2014-0250)\n\nInteger overflow in the license_read_scope_list function in libfreerdp/core/license.c in FreeRDP through 1.0.2 allows remote RDP servers to cause a denial of service (application crash) or possibly have unspecified other impact via a large ScopeCount value in a Scope List in a Server License Request packet.(CVE-2014-0791)\n\nAn exploitable code execution vulnerability exists in the RDP receive functionality of FreeRDP 2.0.0-beta1+android11. A specially crafted server response can cause an out-of-bounds write resulting in an exploitable condition. An attacker can compromise the server or use a man in the middle to trigger this vulnerability.(CVE-2017-2835)\n\nAn exploitable denial of service vulnerability exists within the reading of proprietary server certificates in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.(CVE-2017-2836)\n\nAn exploitable denial of service vulnerability exists within the handling of security data in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.(CVE-2017-2837)\n\nAn exploitable denial of service vulnerability exists within the handling of challenge packets in ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'freerdp' package(s) on Huawei EulerOS V2.0SP2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"freerdp\", rpm:\"freerdp~1.0.2~6.1.h4\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"freerdp-libs\", rpm:\"freerdp-libs~1.0.2~6.1.h4\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"freerdp-plugins\", rpm:\"freerdp-plugins~1.0.2~6.1.h4\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2020-08-12T01:02:13", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2836", "CVE-2017-2839", "CVE-2017-2837", "CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2838"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3923-1 security@debian.org\nhttps://www.debian.org/security/ Sebastien Delafond\nAugust 01, 2017 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : freerdp\nCVE ID : CVE-2017-2834 CVE-2017-2835 CVE-2017-2836 CVE-2017-2837 \n CVE-2017-2838 CVE-2017-2839\nDebian Bug : 869880\n\nTyler Bohan of Talos discovered that FreeRDP, a free implementation of\nthe Remote Desktop Protocol (RDP), contained several vulnerabilities\nthat allowed a malicious remote server or a man-in-the-middle to\neither cause a DoS by forcibly terminating the client, or execute\narbitrary code on the client side.\n\nFor the oldstable distribution (jessie), these problems have been fixed\nin version 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.1.0~git20140921.1.440916e+dfsg1-14.\n\nWe recommend that you upgrade your freerdp packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 10, "modified": "2017-08-01T07:10:51", "published": "2017-08-01T07:10:51", "id": "DEBIAN:DSA-3923-1:84A9F", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2017/msg00185.html", "title": "[SECURITY] [DSA 3923-1] freerdp security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:21:58", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2836", "CVE-2017-2839", "CVE-2017-2837", "CVE-2017-2835", "CVE-2017-2838"], "description": "Package : freerdp\nVersion : 1.0.1-1.1+deb7u4\nCVE ID : CVE-2017-2835 CVE-2017-2836 CVE-2017-2837 CVE-2017-2838\n CVE-2017-2839\nDebian Bug : 869880\n\nTyler Bohan of Talos discovered that FreeRDP, a free implementation of\nthe Remote Desktop Protocol (RDP), contained several vulnerabilities\nthat allowed a malicious remote server or a man-in-the-middle to\neither cause a DoS by forcibly terminating the client, or execute\narbitrary code on the client side.\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n1.0.1-1.1+deb7u4.\n\nWe recommend that you upgrade your freerdp packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 3, "modified": "2017-09-11T05:29:30", "published": "2017-09-11T05:29:30", "id": "DEBIAN:DLA-1095-1:40D3E", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201709/msg00012.html", "title": "[SECURITY] [DLA 1095-1] freerdp security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "talosblog": [{"lastseen": "2017-07-29T13:22:40", "bulletinFamily": "blog", "cvelist": ["CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2836", "CVE-2017-2837", "CVE-2017-2838", "CVE-2017-2839"], "description": "<div>Vulnerabilities discovered by Tyler Bohan of Talos</div><br /><h2>Overview</h2><br /><div>Talos has discovered multiple vulnerabilities in the FreeRDP product. FreeRDP is a free implementation of the Remote Desktop Protocol (RDP) originally developed by Microsoft. RDP allows users to connect remotely to systems so they can be operated from afar. The open source nature of the FreeRDP library means that it is integrated into many commercial remote desktop protocol applications.</div><br /> <div>We identified a number of vulnerabilities falling into 2 classes:</div><ul><li>2 Code Executions; <li>4 Denials Of Service.</ul> <div>The first category allows code execution on the client side through a specially crafted response from a RDP server. The second category can cause the termination of the FreeRDP client. The vulnerabilities result from weaknesses in the handling of network packets sent from the RDP server. Indeed, the size of the data needed to be parsed is sent from the server without checks on the client side. An attacker can compromise the server or use a man in the middle attack to trigger these vulnerabilities.</div><br /><a name='more'></a><h2>Details</h2><h2>Code Execution</h2> <h3>TALOS-2017-0336 (CVE-2017-2834) - FreeRDP Rdp Client License Recv Code Execution Vulnerability</h3><br /><div>The vulnerability is located in the license server handling. The license message sent by the server contains a length field, which is not correctly verified by FreeRDP. For internal purposes, the library decreases this value by 4, if the server is sent a value inferior to 3, this will result in a negative value and the writing of packet contents outside of the allocated buffer in memory. This vulnerability can allow the execution of arbitrary code on the FreeRDP client side. </div><br /> <div>More details can be found in the vulnerability report: <a href=\"https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0336\">TALOS-2017-0336</a></div> <h3>TALOS-2017-0337 (CVE-2017-2835) - FreeRDP RDP Client Recv RDP Code Execution Vulnerability</h3><br /><div>The vulnerability is located in the RDP received function of FreeRDP. Similar to the previous vulnerability, the RDP message sent from the server contains a length field, but this field is not verified by the FreeRDP client code. This length can become negative and allows the attacker to execute code on the client side.</div><br /><div>More details can be found in the vulnerability report: <a href=\"https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0337\">TALOS-2017-0337</a></div><br /><h2>Denial Of Service</h2><h3>TALOS-2017-0338 (CVE-2017-2836) - FreeRDP RDP Client Read Server Proprietary Certificate Denial of Service Vulnerability</h3><br /><div>The vulnerability is located in the parsing of proprietary certificates. In this function, the public key is parsed by the FreeRDP library. However the size of the key specified in the server message packet is inferior to 8, the FreeRDP library crashes. </div><br /><div>More details can be found in the vulnerability report: <a href=\"https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0338\">TALOS-2017-0338</a></div> <h3>TALOS-2017-0339 (CVE-2017-2837) - FreeRDP RDP Client GCC Read Server Security Data Denial of Service Vulnerability</h3><br /><div>This vulnerability is located in the handling of security data function. The function reads a length value from the server packet. A malicious actor can send a specially crafted packet with a modified length value causing the client to crash and causing a denial of service condition.</div><br /><div>More details can be found in the vulnerability report: <a href=\"https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0339\">TALOS-2017-0339</a></div> <h3>TALOS-2017-0340 (CVE-2017-2838) - FreeRDP RDP Client License Read Product Info Denial of Service Vulnerability</h3><br /><div>The vulnerability is located in the license read product info handling. A malicious crafted packet may cause the application to crash. The vulnerable code reads in an unsigned integer from the server message which then incremented by four as part of a length check. However, the size of the unsigned integer is never validated and thus the addition of four could cause an overflow and result in the client crashing.</div><br /><div>More details can be found in the vulnerability report: <a href=\"https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0340\">TALOS-2017-0340</a></div> <h3>TALOS-2017-0341 (CVE-2017-2839) - FreeRDP RDP Client License Read Challenge Packet Denial of Service Vulnerability</h3><br /><div>The vulnerability is located in the license read challenge packet handling. A malicious crafted packet may cause the application to crash. The vulnerability is the same than on TALOS-2017-0340 previously mentioned.</div><br /><div>More details can be found in the vulnerability report: <a href=\"https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0341\">TALOS-2017-0341</a></div><br /><div>Tested Versions:</div><div>FreeRDP 2.0.0-beta1+android11 - Windows, OSX, Linux</div> <br /><h2>Coverage</h2><br /><div>The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.</div><br /><div>Snort Rules: 42941,42973,42998,42974-42975</div><div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=0t-3M7kul2Y:iQnwYmTHMmE:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/0t-3M7kul2Y\" height=\"1\" width=\"1\" alt=\"\"/>", "modified": "2017-07-24T15:26:02", "published": "2017-07-24T08:12:00", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/0t-3M7kul2Y/vulnerbility-spotlight-freerdp-multiple.html", "id": "TALOSBLOG:746AACB1133922672990FF432D5A9992", "title": "Vulnerability Spotlight: FreeRDP Multiple Vulnerabilities", "type": "talosblog", "cvss": {"score": 0.0, "vector": "NONE"}}], "suse": [{"lastseen": "2017-09-02T20:29:45", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2836", "CVE-2017-2839", "CVE-2017-2837", "CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2838"], "description": "This update for freerdp fixes the following issues:\n\n - CVE-2017-2834: Out-of-bounds write in license_recv() (bsc#1050714)\n - CVE-2017-2835: Out-of-bounds write in rdp_recv_tpkt_pdu (bsc#1050712)\n - CVE-2017-2836: Rdp Client Read Server Proprietary Certificate Denial of\n Service (bsc#1050699)\n - CVE-2017-2837: Client GCC Read Server Security Data DoS (bsc#1050704)\n - CVE-2017-2838: Client License Read Product Info Denial of Service\n Vulnerability (bsc#1050708)\n - CVE-2017-2839: Client License Read Challenge Packet Denial of Service\n (bsc#1050711)\n\n This update was imported from the SUSE:SLE-12-SP2:Update update project.\n\n", "edition": 1, "modified": "2017-09-02T18:08:00", "published": "2017-09-02T18:08:00", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-09/msg00006.html", "id": "OPENSUSE-SU-2017:2332-1", "title": "Security update for freerdp (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-08-22T23:07:25", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2836", "CVE-2017-2839", "CVE-2017-2837", "CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2838"], "description": "This update for freerdp fixes the following issues:\n\n - CVE-2017-2834: Out-of-bounds write in license_recv() (bsc#1050714)\n\n - CVE-2017-2835: Out-of-bounds write in rdp_recv_tpkt_pdu (bsc#1050712)\n\n - CVE-2017-2836: Rdp Client Read Server Proprietary Certificate Denial\n of Service (bsc#1050699)\n\n - CVE-2017-2837: Client GCC Read Server Security Data DoS (bsc#1050704)\n\n - CVE-2017-2838: Client License Read Product Info Denial of Service\n Vulnerability (bsc#1050708)\n\n - CVE-2017-2839: Client License Read Challenge Packet Denial of Service\n (bsc#1050711)\n\n", "edition": 1, "modified": "2017-08-22T21:07:11", "published": "2017-08-22T21:07:11", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-08/msg00060.html", "id": "SUSE-SU-2017:2234-1", "title": "Security update for freerdp (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2836", "CVE-2017-2837", "CVE-2017-2838", "CVE-2017-2839"], "description": "Remmina is a remote desktop client written in GTK+, aiming to be useful for system administrators and travelers, who need to work with lots of remote computers in front of either large monitors or tiny net-books. Remmina supports multiple network protocols in an integrated and consistent user interface. Currently RDP, VNC, XDMCP and SSH are supported. Please don't forget to install the plugins for the protocols you want to us e. ", "modified": "2017-07-31T16:24:38", "published": "2017-07-31T16:24:38", "id": "FEDORA:2DACF605F91C", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update:\n remmina-1.2.0-0.39.20170724git0387ee0.fc26", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2836", "CVE-2017-2837", "CVE-2017-2838", "CVE-2017-2839"], "description": "The xfreerdp Remote Desktop Protocol (RDP) client from the FreeRDP project. xfreerdp can connect to RDP servers such as Microsoft Windows machines, xrd p and VirtualBox. ", "modified": "2017-07-31T16:24:38", "published": "2017-07-31T16:24:38", "id": "FEDORA:0C58360C37F3", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: freerdp-2.0.0-31.20170724gitf8c9f43.fc26", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2836", "CVE-2017-2837", "CVE-2017-2838", "CVE-2017-2839"], "description": "The xfreerdp Remote Desktop Protocol (RDP) client from the FreeRDP project. xfreerdp can connect to RDP servers such as Microsoft Windows machines, xrd p and VirtualBox. ", "modified": "2017-08-07T21:22:44", "published": "2017-08-07T21:22:44", "id": "FEDORA:360EB601CEE3", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: freerdp-2.0.0-31.20170724gitf8c9f43.fc25", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2836", "CVE-2017-2837", "CVE-2017-2838", "CVE-2017-2839"], "description": "Remmina is a remote desktop client written in GTK+, aiming to be useful for system administrators and travelers, who need to work with lots of remote computers in front of either large monitors or tiny net-books. Remmina supports multiple network protocols in an integrated and consistent user interface. Currently RDP, VNC, XDMCP and SSH are supported. Please don't forget to install the plugins for the protocols you want to us e. ", "modified": "2017-08-07T21:22:44", "published": "2017-08-07T21:22:44", "id": "FEDORA:664F6601DD9B", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update:\n remmina-1.2.0-0.39.20170724git0387ee0.fc25", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-06T09:50:27", "description": "Tyler Bohan of Talos discovered that FreeRDP, a free implementation of\nthe Remote Desktop Protocol (RDP), contained several vulnerabilities\nthat allowed a malicious remote server or a man-in-the-middle to\neither cause a DoS by forcibly terminating the client, or execute\narbitrary code on the client side.", "edition": 30, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-08-02T00:00:00", "title": "Debian DSA-3923-1 : freerdp - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2836", "CVE-2017-2839", "CVE-2017-2837", "CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2838"], "modified": "2017-08-02T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:freerdp", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-3923.NASL", "href": "https://www.tenable.com/plugins/nessus/102097", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3923. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102097);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-2834\", \"CVE-2017-2835\", \"CVE-2017-2836\", \"CVE-2017-2837\", \"CVE-2017-2838\", \"CVE-2017-2839\");\n script_xref(name:\"DSA\", value:\"3923\");\n\n script_name(english:\"Debian DSA-3923-1 : freerdp - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Tyler Bohan of Talos discovered that FreeRDP, a free implementation of\nthe Remote Desktop Protocol (RDP), contained several vulnerabilities\nthat allowed a malicious remote server or a man-in-the-middle to\neither cause a DoS by forcibly terminating the client, or execute\narbitrary code on the client side.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869880\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/freerdp\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/freerdp\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2017/dsa-3923\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the freerdp packages.\n\nFor the oldstable distribution (jessie), these problems have been\nfixed in version 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1.\n\nFor the stable distribution (stretch), these problems have been fixed\nin version 1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:freerdp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"freerdp-x11\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"freerdp-x11-dbg\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libfreerdp-cache1.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libfreerdp-client1.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libfreerdp-codec1.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libfreerdp-common1.1.0\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libfreerdp-core1.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libfreerdp-crypto1.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libfreerdp-dbg\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libfreerdp-dev\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libfreerdp-gdi1.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libfreerdp-locale1.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libfreerdp-plugins-standard\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libfreerdp-plugins-standard-dbg\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libfreerdp-primitives1.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libfreerdp-rail1.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libfreerdp-utils1.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-asn1-0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-bcrypt0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-credentials0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-credui0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-crt0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-crypto0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-dbg\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-dev\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-dsparse0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-environment0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-error0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-file0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-handle0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-heap0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-input0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-interlocked0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-io0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-library0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-path0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-pipe0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-pool0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-registry0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-rpc0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-sspi0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-sspicli0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-synch0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-sysinfo0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-thread0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-timezone0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-utils0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-winhttp0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libwinpr-winsock0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libxfreerdp-client-dbg\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libxfreerdp-client1.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"freerdp-x11\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"freerdp-x11-dbg\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libfreerdp-cache1.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libfreerdp-client1.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libfreerdp-codec1.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libfreerdp-common1.1.0\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libfreerdp-core1.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libfreerdp-crypto1.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libfreerdp-dbg\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libfreerdp-dev\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libfreerdp-gdi1.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libfreerdp-locale1.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libfreerdp-plugins-standard\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libfreerdp-plugins-standard-dbg\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libfreerdp-primitives1.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libfreerdp-rail1.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libfreerdp-utils1.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-asn1-0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-bcrypt0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-credentials0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-credui0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-crt0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-crypto0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-dbg\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-dev\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-dsparse0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-environment0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-error0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-file0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-handle0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-heap0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-input0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-interlocked0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-io0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-library0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-path0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-pipe0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-pool0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-registry0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-rpc0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-sspi0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-sspicli0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-synch0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-sysinfo0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-thread0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-timezone0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-utils0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-winhttp0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libwinpr-winsock0.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libxfreerdp-client-dbg\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libxfreerdp-client1.1\", reference:\"1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:10:50", "description": "Update to latest snapshot that contains fixes for the latest Talos\ndiscovered CVEs.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 21, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-08-01T00:00:00", "title": "Fedora 26 : 2:freerdp / remmina (2017-4bc09c2364)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2836", "CVE-2017-2839", "CVE-2017-2837", "CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2838"], "modified": "2017-08-01T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:2:freerdp", "p-cpe:/a:fedoraproject:fedora:remmina", "cpe:/o:fedoraproject:fedora:26"], "id": "FEDORA_2017-4BC09C2364.NASL", "href": "https://www.tenable.com/plugins/nessus/102088", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-4bc09c2364.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102088);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-2834\", \"CVE-2017-2835\", \"CVE-2017-2836\", \"CVE-2017-2837\", \"CVE-2017-2838\", \"CVE-2017-2839\");\n script_xref(name:\"FEDORA\", value:\"2017-4bc09c2364\");\n\n script_name(english:\"Fedora 26 : 2:freerdp / remmina (2017-4bc09c2364)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to latest snapshot that contains fixes for the latest Talos\ndiscovered CVEs.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-4bc09c2364\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected 2:freerdp and / or remmina packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:2:freerdp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:remmina\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"freerdp-2.0.0-31.20170724gitf8c9f43.fc26\", epoch:\"2\")) flag++;\nif (rpm_check(release:\"FC26\", reference:\"remmina-1.2.0-0.39.20170724git0387ee0.fc26\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"2:freerdp / remmina\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:14:28", "description": "Update to latest snapshot that contains fixes for the latest Talos\ndiscovered CVEs.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 21, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-08-09T00:00:00", "title": "Fedora 25 : 2:freerdp / remmina (2017-ed31e1f941)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2836", "CVE-2017-2839", "CVE-2017-2837", "CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2838"], "modified": "2017-08-09T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:2:freerdp", "cpe:/o:fedoraproject:fedora:25", "p-cpe:/a:fedoraproject:fedora:remmina"], "id": "FEDORA_2017-ED31E1F941.NASL", "href": "https://www.tenable.com/plugins/nessus/102277", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-ed31e1f941.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102277);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-2834\", \"CVE-2017-2835\", \"CVE-2017-2836\", \"CVE-2017-2837\", \"CVE-2017-2838\", \"CVE-2017-2839\");\n script_xref(name:\"FEDORA\", value:\"2017-ed31e1f941\");\n\n script_name(english:\"Fedora 25 : 2:freerdp / remmina (2017-ed31e1f941)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to latest snapshot that contains fixes for the latest Talos\ndiscovered CVEs.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-ed31e1f941\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected 2:freerdp and / or remmina packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:2:freerdp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:remmina\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"freerdp-2.0.0-31.20170724gitf8c9f43.fc25\", epoch:\"2\")) flag++;\nif (rpm_check(release:\"FC25\", reference:\"remmina-1.2.0-0.39.20170724git0387ee0.fc25\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"2:freerdp / remmina\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T14:26:12", "description": "This update for freerdp fixes the following issues :\n\n - CVE-2017-2834: Out-of-bounds write in license_recv()\n (bsc#1050714)\n\n - CVE-2017-2835: Out-of-bounds write in rdp_recv_tpkt_pdu\n (bsc#1050712)\n\n - CVE-2017-2836: Rdp Client Read Server Proprietary\n Certificate Denial of Service (bsc#1050699)\n\n - CVE-2017-2837: Client GCC Read Server Security Data DoS\n (bsc#1050704)\n\n - CVE-2017-2838: Client License Read Product Info Denial\n of Service Vulnerability (bsc#1050708)\n\n - CVE-2017-2839: Client License Read Challenge Packet\n Denial of Service (bsc#1050711)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 30, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-08-23T00:00:00", "title": "SUSE SLED12 Security Update : freerdp (SUSE-SU-2017:2234-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2836", "CVE-2017-2839", "CVE-2017-2837", "CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2838"], "modified": "2017-08-23T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libfreerdp2-debuginfo", "p-cpe:/a:novell:suse_linux:freerdp-debugsource", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:freerdp", "p-cpe:/a:novell:suse_linux:freerdp-debuginfo", "p-cpe:/a:novell:suse_linux:libfreerdp2"], "id": "SUSE_SU-2017-2234-1.NASL", "href": "https://www.tenable.com/plugins/nessus/102693", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:2234-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102693);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-2834\", \"CVE-2017-2835\", \"CVE-2017-2836\", \"CVE-2017-2837\", \"CVE-2017-2838\", \"CVE-2017-2839\");\n\n script_name(english:\"SUSE SLED12 Security Update : freerdp (SUSE-SU-2017:2234-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for freerdp fixes the following issues :\n\n - CVE-2017-2834: Out-of-bounds write in license_recv()\n (bsc#1050714)\n\n - CVE-2017-2835: Out-of-bounds write in rdp_recv_tpkt_pdu\n (bsc#1050712)\n\n - CVE-2017-2836: Rdp Client Read Server Proprietary\n Certificate Denial of Service (bsc#1050699)\n\n - CVE-2017-2837: Client GCC Read Server Security Data DoS\n (bsc#1050704)\n\n - CVE-2017-2838: Client License Read Product Info Denial\n of Service Vulnerability (bsc#1050708)\n\n - CVE-2017-2839: Client License Read Challenge Packet\n Denial of Service (bsc#1050711)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1050699\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1050704\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1050708\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1050711\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1050712\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1050714\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-2834/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-2835/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-2836/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-2837/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-2838/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-2839/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20172234-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b3fae4aa\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 12-SP3:zypper in -t patch\nSUSE-SLE-WE-12-SP3-2017-1365=1\n\nSUSE Linux Enterprise Workstation Extension 12-SP2:zypper in -t patch\nSUSE-SLE-WE-12-SP2-2017-1365=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t\npatch SUSE-SLE-SDK-12-SP3-2017-1365=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t\npatch SUSE-SLE-SDK-12-SP2-2017-1365=1\n\nSUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP3-2017-1365=1\n\nSUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP2-2017-1365=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:freerdp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:freerdp-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:freerdp-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libfreerdp2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libfreerdp2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(2|3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP2/3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"freerdp-2.0.0~git.1463131968.4e66df7-12.3.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"freerdp-debuginfo-2.0.0~git.1463131968.4e66df7-12.3.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"freerdp-debugsource-2.0.0~git.1463131968.4e66df7-12.3.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libfreerdp2-2.0.0~git.1463131968.4e66df7-12.3.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libfreerdp2-debuginfo-2.0.0~git.1463131968.4e66df7-12.3.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"freerdp-2.0.0~git.1463131968.4e66df7-12.3.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"freerdp-debuginfo-2.0.0~git.1463131968.4e66df7-12.3.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"freerdp-debugsource-2.0.0~git.1463131968.4e66df7-12.3.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libfreerdp2-2.0.0~git.1463131968.4e66df7-12.3.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libfreerdp2-debuginfo-2.0.0~git.1463131968.4e66df7-12.3.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"freerdp\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T12:33:39", "description": "This update for freerdp fixes the following issues :\n\n - CVE-2017-2834: Out-of-bounds write in license_recv()\n (bsc#1050714)\n\n - CVE-2017-2835: Out-of-bounds write in rdp_recv_tpkt_pdu\n (bsc#1050712)\n\n - CVE-2017-2836: Rdp Client Read Server Proprietary\n Certificate Denial of Service (bsc#1050699)\n\n - CVE-2017-2837: Client GCC Read Server Security Data DoS\n (bsc#1050704)\n\n - CVE-2017-2838: Client License Read Product Info Denial\n of Service Vulnerability (bsc#1050708)\n\n - CVE-2017-2839: Client License Read Challenge Packet\n Denial of Service (bsc#1050711)\n\nThis update was imported from the SUSE:SLE-12-SP2:Update update\nproject.", "edition": 21, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-09-05T00:00:00", "title": "openSUSE Security Update : freerdp (openSUSE-2017-992)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2836", "CVE-2017-2839", "CVE-2017-2837", "CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2838"], "modified": "2017-09-05T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:freerdp-debugsource", "p-cpe:/a:novell:opensuse:freerdp", "p-cpe:/a:novell:opensuse:libfreerdp2-debuginfo", "p-cpe:/a:novell:opensuse:freerdp-debuginfo", "p-cpe:/a:novell:opensuse:libfreerdp2", "cpe:/o:novell:opensuse:42.3", "cpe:/o:novell:opensuse:42.2", "p-cpe:/a:novell:opensuse:freerdp-devel"], "id": "OPENSUSE-2017-992.NASL", "href": "https://www.tenable.com/plugins/nessus/102945", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-992.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102945);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2017-2834\", \"CVE-2017-2835\", \"CVE-2017-2836\", \"CVE-2017-2837\", \"CVE-2017-2838\", \"CVE-2017-2839\");\n\n script_name(english:\"openSUSE Security Update : freerdp (openSUSE-2017-992)\");\n script_summary(english:\"Check for the openSUSE-2017-992 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for freerdp fixes the following issues :\n\n - CVE-2017-2834: Out-of-bounds write in license_recv()\n (bsc#1050714)\n\n - CVE-2017-2835: Out-of-bounds write in rdp_recv_tpkt_pdu\n (bsc#1050712)\n\n - CVE-2017-2836: Rdp Client Read Server Proprietary\n Certificate Denial of Service (bsc#1050699)\n\n - CVE-2017-2837: Client GCC Read Server Security Data DoS\n (bsc#1050704)\n\n - CVE-2017-2838: Client License Read Product Info Denial\n of Service Vulnerability (bsc#1050708)\n\n - CVE-2017-2839: Client License Read Challenge Packet\n Denial of Service (bsc#1050711)\n\nThis update was imported from the SUSE:SLE-12-SP2:Update update\nproject.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1050699\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1050704\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1050708\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1050711\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1050712\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1050714\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected freerdp packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:freerdp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:freerdp-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:freerdp-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:freerdp-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libfreerdp2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libfreerdp2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/05\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.2|SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.2 / 42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.2\", reference:\"freerdp-2.0.0~git.1463131968.4e66df7-3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"freerdp-debuginfo-2.0.0~git.1463131968.4e66df7-3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"freerdp-debugsource-2.0.0~git.1463131968.4e66df7-3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"freerdp-devel-2.0.0~git.1463131968.4e66df7-3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libfreerdp2-2.0.0~git.1463131968.4e66df7-3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libfreerdp2-debuginfo-2.0.0~git.1463131968.4e66df7-3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"freerdp-2.0.0~git.1463131968.4e66df7-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"freerdp-debuginfo-2.0.0~git.1463131968.4e66df7-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"freerdp-debugsource-2.0.0~git.1463131968.4e66df7-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"freerdp-devel-2.0.0~git.1463131968.4e66df7-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libfreerdp2-2.0.0~git.1463131968.4e66df7-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libfreerdp2-debuginfo-2.0.0~git.1463131968.4e66df7-6.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"freerdp / freerdp-debuginfo / freerdp-debugsource / freerdp-devel / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T09:38:36", "description": "Tyler Bohan of Talos discovered that FreeRDP, a free implementation of\nthe Remote Desktop Protocol (RDP), contained several vulnerabilities\nthat allowed a malicious remote server or a man-in-the-middle to\neither cause a DoS by forcibly terminating the client, or execute\narbitrary code on the client side.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n1.0.1-1.1+deb7u4.\n\nWe recommend that you upgrade your freerdp packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 18, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-09-11T00:00:00", "title": "Debian DLA-1095-1 : freerdp security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2836", "CVE-2017-2839", "CVE-2017-2837", "CVE-2017-2835", "CVE-2017-2838"], "modified": "2017-09-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libfreerdp1", "p-cpe:/a:debian:debian_linux:libfreerdp-dev", "p-cpe:/a:debian:debian_linux:freerdp-x11", "p-cpe:/a:debian:debian_linux:freerdp-dbg", "cpe:/o:debian:debian_linux:7.0", "p-cpe:/a:debian:debian_linux:libfreerdp-plugins-standard"], "id": "DEBIAN_DLA-1095.NASL", "href": "https://www.tenable.com/plugins/nessus/103095", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1095-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103095);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-2835\", \"CVE-2017-2836\", \"CVE-2017-2837\", \"CVE-2017-2838\", \"CVE-2017-2839\");\n\n script_name(english:\"Debian DLA-1095-1 : freerdp security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Tyler Bohan of Talos discovered that FreeRDP, a free implementation of\nthe Remote Desktop Protocol (RDP), contained several vulnerabilities\nthat allowed a malicious remote server or a man-in-the-middle to\neither cause a DoS by forcibly terminating the client, or execute\narbitrary code on the client side.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n1.0.1-1.1+deb7u4.\n\nWe recommend that you upgrade your freerdp packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2017/09/msg00012.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/freerdp\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:freerdp-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:freerdp-x11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libfreerdp-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libfreerdp-plugins-standard\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libfreerdp1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"freerdp-dbg\", reference:\"1.0.1-1.1+deb7u4\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"freerdp-x11\", reference:\"1.0.1-1.1+deb7u4\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libfreerdp-dev\", reference:\"1.0.1-1.1+deb7u4\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libfreerdp-plugins-standard\", reference:\"1.0.1-1.1+deb7u4\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libfreerdp1\", reference:\"1.0.1-1.1+deb7u4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T06:45:39", "description": "It was discovered that FreeRDP incorrectly handled certain width and\nheight values. A malicious server could use this issue to cause\nFreeRDP to crash, resulting in a denial of service, or possibly\nexecute arbitrary code. This issue only applied to Ubuntu 14.04 LTS.\n(CVE-2014-0250)\n\nIt was discovered that FreeRDP incorrectly handled certain values in a\nScope List. A malicious server could use this issue to cause FreeRDP\nto crash, resulting in a denial of service, or possibly execute\narbitrary code. (CVE-2014-0791)\n\nTyler Bohan discovered that FreeRDP incorrectly handled certain length\nvalues. A malicious server could use this issue to cause FreeRDP to\ncrash, resulting in a denial of service, or possibly execute arbitrary\ncode. (CVE-2017-2834, CVE-2017-2835)\n\nTyler Bohan discovered that FreeRDP incorrectly handled certain\npackets. A malicious server could possibly use this issue to cause\nFreeRDP to crash, resulting in a denial of service. (CVE-2017-2836,\nCVE-2017-2837, CVE-2017-2838, CVE-2017-2839).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-08-08T00:00:00", "title": "Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : freerdp vulnerabilities (USN-3380-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2836", "CVE-2017-2839", "CVE-2014-0791", "CVE-2017-2837", "CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2838", "CVE-2014-0250"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:17.04", "cpe:/o:canonical:ubuntu_linux:16.04", "p-cpe:/a:canonical:ubuntu_linux:libfreerdp1", "p-cpe:/a:canonical:ubuntu_linux:libfreerdp-client1.1", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-3380-1.NASL", "href": "https://www.tenable.com/plugins/nessus/102260", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3380-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(102260);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/09/18 12:31:47\");\n\n script_cve_id(\"CVE-2014-0250\", \"CVE-2014-0791\", \"CVE-2017-2834\", \"CVE-2017-2835\", \"CVE-2017-2836\", \"CVE-2017-2837\", \"CVE-2017-2838\", \"CVE-2017-2839\");\n script_xref(name:\"USN\", value:\"3380-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : freerdp vulnerabilities (USN-3380-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that FreeRDP incorrectly handled certain width and\nheight values. A malicious server could use this issue to cause\nFreeRDP to crash, resulting in a denial of service, or possibly\nexecute arbitrary code. This issue only applied to Ubuntu 14.04 LTS.\n(CVE-2014-0250)\n\nIt was discovered that FreeRDP incorrectly handled certain values in a\nScope List. A malicious server could use this issue to cause FreeRDP\nto crash, resulting in a denial of service, or possibly execute\narbitrary code. (CVE-2014-0791)\n\nTyler Bohan discovered that FreeRDP incorrectly handled certain length\nvalues. A malicious server could use this issue to cause FreeRDP to\ncrash, resulting in a denial of service, or possibly execute arbitrary\ncode. (CVE-2017-2834, CVE-2017-2835)\n\nTyler Bohan discovered that FreeRDP incorrectly handled certain\npackets. A malicious server could possibly use this issue to cause\nFreeRDP to crash, resulting in a denial of service. (CVE-2017-2836,\nCVE-2017-2837, CVE-2017-2838, CVE-2017-2839).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3380-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected libfreerdp-client1.1 and / or libfreerdp1\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libfreerdp-client1.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libfreerdp1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:17.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/01/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04|16\\.04|17\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04 / 16.04 / 17.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"libfreerdp1\", pkgver:\"1.0.2-2ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libfreerdp-client1.1\", pkgver:\"1.1.0~git20140921.1.440916e+dfsg1-5ubuntu1.2\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"libfreerdp-client1.1\", pkgver:\"1.1.0~git20140921.1.440916e+dfsg1-10ubuntu1.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libfreerdp-client1.1 / libfreerdp1\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T09:01:27", "description": "According to the versions of the freerdp packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - An exploitable code execution vulnerability exists in\n the RDP receive functionality of FreeRDP\n 2.0.0-beta1+android11. A specially crafted server\n response can cause an out-of-bounds write resulting in\n an exploitable condition. An attacker can compromise\n the server or use a man in the middle to trigger this\n vulnerability.(CVE-2017-2835)\n\n - An exploitable denial of service vulnerability exists\n within the handling of challenge packets in FreeRDP\n 2.0.0-beta1+android11. A specially crafted challenge\n packet can cause the program termination leading to a\n denial of service condition. An attacker can compromise\n the server or use man in the middle to trigger this\n vulnerability.(CVE-2017-2838)\n\n - An exploitable denial of service vulnerability exists\n within the handling of challenge packets in FreeRDP\n 2.0.0-beta1+android11. A specially crafted challenge\n packet can cause the program termination leading to a\n denial of service condition. An attacker can compromise\n the server or use man in the middle to trigger this\n vulnerability.(CVE-2017-2839)\n\n - An exploitable denial of service vulnerability exists\n within the handling of security data in FreeRDP\n 2.0.0-beta1+android11. A specially crafted challenge\n packet can cause the program termination leading to a\n denial of service condition. An attacker can compromise\n the server or use man in the middle to trigger this\n vulnerability.(CVE-2017-2837)\n\n - An exploitable denial of service vulnerability exists\n within the reading of proprietary server certificates\n in FreeRDP 2.0.0-beta1+android11. A specially crafted\n challenge packet can cause the program termination\n leading to a denial of service condition. An attacker\n can compromise the server or use man in the middle to\n trigger this vulnerability.(CVE-2017-2836)\n\n - FreeRDP FreeRDP 2.0.0-rc3 released version before\n commit 205c612820dac644d665b5bb1cdf437dc5ca01e3\n contains a Other/Unknown vulnerability in\n channels/drdynvc/client/drdynvc_main.c,\n drdynvc_process_capability_request that can result in\n The RDP server can read the client's memory.. This\n attack appear to be exploitable via RDPClient must\n connect the rdp server with echo option. This\n vulnerability appears to have been fixed in after\n commit\n 205c612820dac644d665b5bb1cdf437dc5ca01e3.(CVE-2018-1000\n 852)\n\n - Integer overflow in the license_read_scope_list\n function in libfreerdp/core/license.c in FreeRDP\n through 1.0.2 allows remote RDP servers to cause a\n denial of service (application crash) or possibly have\n unspecified other impact via a large ScopeCount value\n in a Scope List in a Server License Request\n packet.(CVE-2014-0791)\n\n - Multiple integer overflows in client/X11/xf_graphics.c\n in FreeRDP allow remote attackers to have an\n unspecified impact via the width and height to the (1)\n xf_Pointer_New or (2) xf_Bitmap_Decompress function,\n which causes an incorrect amount of memory to be\n allocated.(CVE-2014-0250)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 11, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-12-19T00:00:00", "title": "EulerOS 2.0 SP3 : freerdp (EulerOS-SA-2019-2580)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2836", "CVE-2017-2839", "CVE-2018-1000", "CVE-2014-0791", "CVE-2017-2837", "CVE-2017-2835", "CVE-2017-2838", "CVE-2018-1000852", "CVE-2014-0250"], "modified": "2019-12-19T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:freerdp-plugins", "p-cpe:/a:huawei:euleros:freerdp-libs", "p-cpe:/a:huawei:euleros:freerdp", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-2580.NASL", "href": "https://www.tenable.com/plugins/nessus/132297", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132297);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2014-0250\",\n \"CVE-2014-0791\",\n \"CVE-2017-2835\",\n \"CVE-2017-2836\",\n \"CVE-2017-2837\",\n \"CVE-2017-2838\",\n \"CVE-2017-2839\",\n \"CVE-2018-1000852\"\n );\n script_bugtraq_id(\n 64689,\n 67670\n );\n\n script_name(english:\"EulerOS 2.0 SP3 : freerdp (EulerOS-SA-2019-2580)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the freerdp packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - An exploitable code execution vulnerability exists in\n the RDP receive functionality of FreeRDP\n 2.0.0-beta1+android11. A specially crafted server\n response can cause an out-of-bounds write resulting in\n an exploitable condition. An attacker can compromise\n the server or use a man in the middle to trigger this\n vulnerability.(CVE-2017-2835)\n\n - An exploitable denial of service vulnerability exists\n within the handling of challenge packets in FreeRDP\n 2.0.0-beta1+android11. A specially crafted challenge\n packet can cause the program termination leading to a\n denial of service condition. An attacker can compromise\n the server or use man in the middle to trigger this\n vulnerability.(CVE-2017-2838)\n\n - An exploitable denial of service vulnerability exists\n within the handling of challenge packets in FreeRDP\n 2.0.0-beta1+android11. A specially crafted challenge\n packet can cause the program termination leading to a\n denial of service condition. An attacker can compromise\n the server or use man in the middle to trigger this\n vulnerability.(CVE-2017-2839)\n\n - An exploitable denial of service vulnerability exists\n within the handling of security data in FreeRDP\n 2.0.0-beta1+android11. A specially crafted challenge\n packet can cause the program termination leading to a\n denial of service condition. An attacker can compromise\n the server or use man in the middle to trigger this\n vulnerability.(CVE-2017-2837)\n\n - An exploitable denial of service vulnerability exists\n within the reading of proprietary server certificates\n in FreeRDP 2.0.0-beta1+android11. A specially crafted\n challenge packet can cause the program termination\n leading to a denial of service condition. An attacker\n can compromise the server or use man in the middle to\n trigger this vulnerability.(CVE-2017-2836)\n\n - FreeRDP FreeRDP 2.0.0-rc3 released version before\n commit 205c612820dac644d665b5bb1cdf437dc5ca01e3\n contains a Other/Unknown vulnerability in\n channels/drdynvc/client/drdynvc_main.c,\n drdynvc_process_capability_request that can result in\n The RDP server can read the client's memory.. This\n attack appear to be exploitable via RDPClient must\n connect the rdp server with echo option. This\n vulnerability appears to have been fixed in after\n commit\n 205c612820dac644d665b5bb1cdf437dc5ca01e3.(CVE-2018-1000\n 852)\n\n - Integer overflow in the license_read_scope_list\n function in libfreerdp/core/license.c in FreeRDP\n through 1.0.2 allows remote RDP servers to cause a\n denial of service (application crash) or possibly have\n unspecified other impact via a large ScopeCount value\n in a Scope List in a Server License Request\n packet.(CVE-2014-0791)\n\n - Multiple integer overflows in client/X11/xf_graphics.c\n in FreeRDP allow remote attackers to have an\n unspecified impact via the width and height to the (1)\n xf_Pointer_New or (2) xf_Bitmap_Decompress function,\n which causes an incorrect amount of memory to be\n allocated.(CVE-2014-0250)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2580\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7777099f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected freerdp packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-1000852\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:freerdp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:freerdp-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:freerdp-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(3)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"freerdp-1.0.2-6.1.h4\",\n \"freerdp-libs-1.0.2-6.1.h4\",\n \"freerdp-plugins-1.0.2-6.1.h4\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"3\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"freerdp\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T09:01:07", "description": "According to the versions of the freerdp packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - FreeRDP before 1.1.0-beta+2013071101 allows remote\n attackers to cause a denial of service (NULL pointer\n dereference and application crash) by disconnecting\n before authentication has finished.(CVE-2013-4119)\n\n - FreeRDP FreeRDP 2.0.0-rc3 released version before\n commit 205c612820dac644d665b5bb1cdf437dc5ca01e3\n contains a Other/Unknown vulnerability in\n channels/drdynvc/client/drdynvc_main.c,\n drdynvc_process_capability_request that can result in\n The RDP server can read the client's memory.. This\n attack appear to be exploitable via RDPClient must\n connect the rdp server with echo option. This\n vulnerability appears to have been fixed in after\n commit\n 205c612820dac644d665b5bb1cdf437dc5ca01e3.(CVE-2018-1000\n 852)\n\n - FreeRDP before 1.1.0-beta1 allows remote attackers to\n cause a denial of service (NULL pointer dereference and\n application crash) via unspecified\n vectors.(CVE-2013-4118)\n\n - Multiple integer overflows in client/X11/xf_graphics.c\n in FreeRDP allow remote attackers to have an\n unspecified impact via the width and height to the (1)\n xf_Pointer_New or (2) xf_Bitmap_Decompress function,\n which causes an incorrect amount of memory to be\n allocated.(CVE-2014-0250)\n\n - Integer overflow in the license_read_scope_list\n function in libfreerdp/core/license.c in FreeRDP\n through 1.0.2 allows remote RDP servers to cause a\n denial of service (application crash) or possibly have\n unspecified other impact via a large ScopeCount value\n in a Scope List in a Server License Request\n packet.(CVE-2014-0791)\n\n - An exploitable code execution vulnerability exists in\n the RDP receive functionality of FreeRDP\n 2.0.0-beta1+android11. A specially crafted server\n response can cause an out-of-bounds write resulting in\n an exploitable condition. An attacker can compromise\n the server or use a man in the middle to trigger this\n vulnerability.(CVE-2017-2835)\n\n - An exploitable denial of service vulnerability exists\n within the reading of proprietary server certificates\n in FreeRDP 2.0.0-beta1+android11. A specially crafted\n challenge packet can cause the program termination\n leading to a denial of service condition. An attacker\n can compromise the server or use man in the middle to\n trigger this vulnerability.(CVE-2017-2836)\n\n - An exploitable denial of service vulnerability exists\n within the handling of security data in FreeRDP\n 2.0.0-beta1+android11. A specially crafted challenge\n packet can cause the program termination leading to a\n denial of service condition. An attacker can compromise\n the server or use man in the middle to trigger this\n vulnerability.(CVE-2017-2837)\n\n - An exploitable denial of service vulnerability exists\n within the handling of challenge packets in FreeRDP\n 2.0.0-beta1+android11. A specially crafted challenge\n packet can cause the program termination leading to a\n denial of service condition. An attacker can compromise\n the server or use man in the middle to trigger this\n vulnerability.(CVE-2017-2838)\n\n - An exploitable denial of service vulnerability exists\n within the handling of challenge packets in FreeRDP\n 2.0.0-beta1+android11. A specially crafted challenge\n packet can cause the program termination leading to a\n denial of service condition. An attacker can compromise\n the server or use man in the middle to trigger this\n vulnerability.(CVE-2017-2839)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 10, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-12-04T00:00:00", "title": "EulerOS 2.0 SP2 : freerdp (EulerOS-SA-2019-2455)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4118", "CVE-2017-2836", "CVE-2017-2839", "CVE-2018-1000", "CVE-2014-0791", "CVE-2017-2837", "CVE-2017-2835", "CVE-2017-2838", "CVE-2018-1000852", "CVE-2013-4119", "CVE-2014-0250"], "modified": "2019-12-04T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:freerdp-plugins", "p-cpe:/a:huawei:euleros:freerdp-libs", "p-cpe:/a:huawei:euleros:freerdp", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-2455.NASL", "href": "https://www.tenable.com/plugins/nessus/131609", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(131609);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2013-4118\",\n \"CVE-2013-4119\",\n \"CVE-2014-0250\",\n \"CVE-2014-0791\",\n \"CVE-2017-2835\",\n \"CVE-2017-2836\",\n \"CVE-2017-2837\",\n \"CVE-2017-2838\",\n \"CVE-2017-2839\",\n \"CVE-2018-1000852\"\n );\n script_bugtraq_id(\n 61072,\n 64689,\n 67670\n );\n\n script_name(english:\"EulerOS 2.0 SP2 : freerdp (EulerOS-SA-2019-2455)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the freerdp packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - FreeRDP before 1.1.0-beta+2013071101 allows remote\n attackers to cause a denial of service (NULL pointer\n dereference and application crash) by disconnecting\n before authentication has finished.(CVE-2013-4119)\n\n - FreeRDP FreeRDP 2.0.0-rc3 released version before\n commit 205c612820dac644d665b5bb1cdf437dc5ca01e3\n contains a Other/Unknown vulnerability in\n channels/drdynvc/client/drdynvc_main.c,\n drdynvc_process_capability_request that can result in\n The RDP server can read the client's memory.. This\n attack appear to be exploitable via RDPClient must\n connect the rdp server with echo option. This\n vulnerability appears to have been fixed in after\n commit\n 205c612820dac644d665b5bb1cdf437dc5ca01e3.(CVE-2018-1000\n 852)\n\n - FreeRDP before 1.1.0-beta1 allows remote attackers to\n cause a denial of service (NULL pointer dereference and\n application crash) via unspecified\n vectors.(CVE-2013-4118)\n\n - Multiple integer overflows in client/X11/xf_graphics.c\n in FreeRDP allow remote attackers to have an\n unspecified impact via the width and height to the (1)\n xf_Pointer_New or (2) xf_Bitmap_Decompress function,\n which causes an incorrect amount of memory to be\n allocated.(CVE-2014-0250)\n\n - Integer overflow in the license_read_scope_list\n function in libfreerdp/core/license.c in FreeRDP\n through 1.0.2 allows remote RDP servers to cause a\n denial of service (application crash) or possibly have\n unspecified other impact via a large ScopeCount value\n in a Scope List in a Server License Request\n packet.(CVE-2014-0791)\n\n - An exploitable code execution vulnerability exists in\n the RDP receive functionality of FreeRDP\n 2.0.0-beta1+android11. A specially crafted server\n response can cause an out-of-bounds write resulting in\n an exploitable condition. An attacker can compromise\n the server or use a man in the middle to trigger this\n vulnerability.(CVE-2017-2835)\n\n - An exploitable denial of service vulnerability exists\n within the reading of proprietary server certificates\n in FreeRDP 2.0.0-beta1+android11. A specially crafted\n challenge packet can cause the program termination\n leading to a denial of service condition. An attacker\n can compromise the server or use man in the middle to\n trigger this vulnerability.(CVE-2017-2836)\n\n - An exploitable denial of service vulnerability exists\n within the handling of security data in FreeRDP\n 2.0.0-beta1+android11. A specially crafted challenge\n packet can cause the program termination leading to a\n denial of service condition. An attacker can compromise\n the server or use man in the middle to trigger this\n vulnerability.(CVE-2017-2837)\n\n - An exploitable denial of service vulnerability exists\n within the handling of challenge packets in FreeRDP\n 2.0.0-beta1+android11. A specially crafted challenge\n packet can cause the program termination leading to a\n denial of service condition. An attacker can compromise\n the server or use man in the middle to trigger this\n vulnerability.(CVE-2017-2838)\n\n - An exploitable denial of service vulnerability exists\n within the handling of challenge packets in FreeRDP\n 2.0.0-beta1+android11. A specially crafted challenge\n packet can cause the program termination leading to a\n denial of service condition. An attacker can compromise\n the server or use man in the middle to trigger this\n vulnerability.(CVE-2017-2839)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2455\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dfdccb93\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected freerdp packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-1000852\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:freerdp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:freerdp-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:freerdp-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"freerdp-1.0.2-6.1.h4\",\n \"freerdp-libs-1.0.2-6.1.h4\",\n \"freerdp-plugins-1.0.2-6.1.h4\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"freerdp\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2020-10-03T13:07:42", "description": "An exploitable code execution vulnerability exists in the RDP receive functionality of FreeRDP 2.0.0-beta1+android11. A specially crafted server response can cause an out-of-bounds write resulting in an exploitable condition. An attacker can compromise the server or use a man in the middle to trigger this vulnerability.", "edition": 3, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-24T19:29:00", "title": "CVE-2017-2835", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2835"], "modified": "2018-05-25T15:20:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:freerdp:freerdp:2.0.0", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-2835", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2835", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:freerdp:freerdp:2.0.0:beta1:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:07:42", "description": "An exploitable denial of service vulnerability exists within the handling of challenge packets in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.", "edition": 3, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.9, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-04-24T19:29:00", "title": "CVE-2017-2838", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2838"], "modified": "2018-05-25T15:22:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:freerdp:freerdp:2.0.0", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-2838", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2838", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:freerdp:freerdp:2.0.0:beta1:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:07:42", "description": "An exploitable denial of service vulnerability exists within the handling of challenge packets in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.", "edition": 3, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.9, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-04-24T19:29:00", "title": "CVE-2017-2839", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2839"], "modified": "2018-05-25T15:24:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:freerdp:freerdp:2.0.0", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-2839", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2839", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:freerdp:freerdp:2.0.0:beta1:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:07:42", "description": "An exploitable denial of service vulnerability exists within the handling of security data in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.", "edition": 3, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.9, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-04-24T19:29:00", "title": "CVE-2017-2837", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2837"], "modified": "2018-05-25T15:22:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:freerdp:freerdp:2.0.0", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-2837", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2837", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:freerdp:freerdp:2.0.0:beta1:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:07:42", "description": "An exploitable denial of service vulnerability exists within the reading of proprietary server certificates in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.", "edition": 3, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.9, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-04-24T19:29:00", "title": "CVE-2017-2836", "type": "cve", "cwe": ["CWE-295"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2836"], "modified": "2018-05-25T15:21:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:freerdp:freerdp:2.0.0", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-2836", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2836", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:freerdp:freerdp:2.0.0:beta1:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:07:42", "description": "An exploitable code execution vulnerability exists in the authentication functionality of FreeRDP 2.0.0-beta1+android11. A specially crafted server response can cause an out-of-bounds write resulting in an exploitable condition. An attacker can compromise the server or use a man in the middle attack to trigger this vulnerability.", "edition": 3, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "baseScore": 7.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 4.7}, "published": "2018-04-24T19:29:00", "title": "CVE-2017-2834", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2834"], "modified": "2018-05-25T15:20:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:freerdp:freerdp:2.0.0", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-2834", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2834", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:freerdp:freerdp:2.0.0:beta1:*:*:*:*:*:*"]}], "ubuntu": [{"lastseen": "2020-07-02T11:38:23", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2836", "CVE-2017-2839", "CVE-2014-0791", "CVE-2017-2837", "CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2838", "CVE-2014-0250"], "description": "It was discovered that FreeRDP incorrectly handled certain width and height \nvalues. A malicious server could use this issue to cause FreeRDP to crash, \nresulting in a denial of service, or possibly execute arbitrary code. This \nissue only applied to Ubuntu 14.04 LTS. (CVE-2014-0250)\n\nIt was discovered that FreeRDP incorrectly handled certain values in a \nScope List. A malicious server could use this issue to cause FreeRDP to \ncrash, resulting in a denial of service, or possibly execute arbitrary \ncode. (CVE-2014-0791)\n\nTyler Bohan discovered that FreeRDP incorrectly handled certain length \nvalues. A malicious server could use this issue to cause FreeRDP to \ncrash, resulting in a denial of service, or possibly execute arbitrary \ncode. (CVE-2017-2834, CVE-2017-2835)\n\nTyler Bohan discovered that FreeRDP incorrectly handled certain packets. A \nmalicious server could possibly use this issue to cause FreeRDP to crash, \nresulting in a denial of service. (CVE-2017-2836, CVE-2017-2837, \nCVE-2017-2838, CVE-2017-2839)", "edition": 5, "modified": "2017-08-07T00:00:00", "published": "2017-08-07T00:00:00", "id": "USN-3380-1", "href": "https://ubuntu.com/security/notices/USN-3380-1", "title": "FreeRDP vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2017-11-19T11:57:40", "description": "### Summary\r\nAn exploitable code execution vulnerability exists in the RDP receive functionality of FreeRDP 2.0.0-beta1+android11. A specially crafted server response can cause an out-of-bounds write resulting in an exploitable condition. An attacker can compromise the server or use a man in the middle to trigger this vulnerability.\r\n\r\n### Tested Versions\r\nFreeRDP 2.0.0-beta1+android11 - Windows, OSX, Linux\r\n\r\n### Product URLs\r\nhttp://www.freerdp.com/\r\n\r\n### CVSSv3 Score\r\n8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H\r\n\r\n### CWE\r\nCWE-129: Improper Validation of Array Index\r\n\r\n### Details\r\nFreeRDP is a remote desktop protocol implementation available for all of the major operating systems. Many of the commercial remote desktop protocol applications actually use this library as their core. The vulnerability arises in using untrusted data in handling the reception of a RDP packet with the server.\r\n```\r\nstatic int rdp_recv_tpkt_pdu(rdpRdp* rdp, wStream* s)\r\n{\r\n UINT16 length;\r\n UINT16 pduType;\r\n UINT16 pduLength;\r\n UINT16 pduSource;\r\n UINT16 channelId = 0;\r\n UINT16 securityFlags = 0;\r\n int nextPosition;\r\n\r\n\r\n if (!rdp_read_header(rdp, s, &length, &channelId)) [1]\r\n { \r\n\r\n ...\r\n\r\n if (rdp->settings->UseRdpSecurityLayer)\r\n {\r\n if (!rdp_read_security_header(s, &securityFlags)) [2]\r\n {\r\n ...\r\n\r\n if (securityFlags & (SEC_ENCRYPT | SEC_REDIRECTION_PKT))\r\n {\r\n if (!rdp_decrypt(rdp, s, length - 4, securityFlags)) [3]\r\n {\r\n```\r\nAt [1], the RDP header is read in and a local variable, length, is assigned a value directly from the attacker controlled packet. Another value, [2], is read in from the packet to determine if encryption is set on this packet. This check is simply anding a value in the packet with a constant and is easily passed. The value of length is then subtracted from four, [3], and passed into a decryption function. If the attacker supplies a value less than four a negative value will be passed into decrypt. The attacker controlled length value goes through multiple functions and ends up passed in directly to the OpenSSL RC4 function call. This causes the program to write attacker influence data out of bounds causing a potentially exploitable condition to arise. A hexdump of the attacker controlled packet is below with the bytes pertaining to the length marked.\r\n```\r\n00000000 03 00 00 28 02 f0 80 68 00 01 03 eb 70 [03] 08 04 |...(...h....p...| <-------\r\n00000010 00 00 16 00 17 00 ea 03 ea 03 01 00 00 01 08 00 |................|\r\n00000020 1f 00 00 00 01 00 ea 03 03 00 00 2c 02 f0 80 68 |...........,...h|\r\n00000030 00 01 03 eb 70 1e 00 00 00 00 1a 00 17 00 ea 03 |....p...........|\r\n00000040 ea 03 01 00 00 01 0c 00 14 00 00 00 04 00 00 00 |................|\r\n00000050 ea 03 00 00 03 00 00 2c 02 f0 80 68 00 01 03 eb |.......,...h....|\r\n00000060 70 1e 00 00 00 00 1a 00 17 00 ea 03 ea 03 01 00 |p...............|\r\n00000070 00 01 0c 00 14 00 00 00 02 00 00 00 ea 03 00 00 |................|\r\n00000080 03 00 00 d1 02 f0 80 68 00 01 03 eb 70 80 c2 00 |.......h....p...|\r\n00000090 00 00 00 be 00 17 00 ea 03 ea 03 01 00 00 01 b0 |................|\r\n```\r\n\r\n### Crash Information\r\n```\r\nCrashed thread log = \r\n: Dispatch queue: com.apple.main-thread\r\n0 libgmalloc.dylib 0x00000001037ef54a GuardMalloc_mallocInternal + 1136\r\n1 libgmalloc.dylib 0x00000001037eee70 GuardMalloc_calloc + 81\r\n2 libsystem_malloc.dylib 0x00007fff94c2b9a6 malloc_zone_calloc + 78\r\n3 libsystem_malloc.dylib 0x00007fff94c2c462 calloc + 49\r\n4 libobjc.A.dylib 0x00007fff9988a330 allocateBuckets(unsigned int) + 30\r\n5 libobjc.A.dylib 0x00007fff9987fc53 cache_t::reallocate(unsigned int, unsigned int) + 43\r\n6 libobjc.A.dylib 0x00007fff9987f693 cache_fill + 177\r\n7 libobjc.A.dylib 0x00007fff9987edfc lookUpImpOrForward + 423\r\n8 libobjc.A.dylib 0x00007fff99879591 objc_msgSend + 209\r\n9 com.apple.AppKit 0x00007fff8ffa8a52 -[NSCell dealloc] + 364\r\n10 com.apple.AppKit 0x00007fff8ffa88cd -[NSActionCell dealloc] + 116\r\n11 com.apple.AppKit 0x00007fff8ffa8dfd -[NSButtonCell dealloc] + 395\r\n12 com.apple.AppKit 0x00007fff8ffa85b9 -[NSControl dealloc] + 83\r\n13 com.apple.AppKit 0x00007fff9018d510 -[NSAlert dealloc] + 104\r\n14 com.apple.CoreFoundation 0x00007fff88dab5a8 -[__NSArrayI dealloc] + 120\r\n15 libobjc.A.dylib 0x00007fff9987eb3b (anonymous namespace)::AutoreleasePoolPage::pop(void*) + 477\r\n16 com.apple.CoreFoundation 0x00007fff88dbec12 _CFAutoreleasePoolPop + 50\r\n17 com.apple.Foundation 0x00007fff887659ea -[NSAutoreleasePool drain] + 153\r\n18 com.apple.Foundation 0x00007fff887a25ba _NSAppleEventManagerGenericHandler + 121\r\n19 com.apple.AE 0x00007fff87c47261 aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) \r\n+ 531\r\n20 com.apple.AE 0x00007fff87c46fe8 dispatchEventAndSendReply(AEDesc const*, AEDesc*) + 31\r\n21 com.apple.AE 0x00007fff87c46f04 aeProcessAppleEvent + 288\r\n22 com.apple.HIToolbox 0x00007fff8f2c7af9 AEProcessAppleEvent + 55\r\n23 com.apple.AppKit 0x00007fff8fe9b290 _DPSNextEvent + 2245\r\n24 com.apple.AppKit 0x00007fff8fe9a226 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + \r\n454\r\n25 com.apple.AppKit 0x00007fff8fe8ed80 -[NSApplication run] + 682\r\n26 com.apple.AppKit 0x00007fff8fe58368 NSApplicationMain + 1176\r\n27 libdyld.dylib 0x00007fff86cf45ad start + 1\r\n\r\nlog name is: ./crashlogs/1.crashlog.txt\r\n---\r\nexception=EXC_CRASH:signal=11:is_exploitable=yes:instruction_disassembly=movq %rax,CONSTANT(%rdi,%rsi):instruction_address=0x00000001037ef54a:access_type=:access_address=0x0000000000000000:\r\nThe crash is suspected to be an exploitable issue due to the suspicious function in the stack trace of the crashing thread: ' calloc ' \r\n```\r\n\r\n### Exploit Proof-of-Concept\r\nRun included Python server and connect FreeRDP Client to it.\r\n\r\n### Timeline\r\n* 2017-05-24 - Vendor Disclosure\r\n* 2017-07-24 - Public Release\r\n\r\n### CREDIT\r\n* Discovered by Tyler Bohan of Cisco Talos.", "published": "2017-09-13T00:00:00", "type": "seebug", "title": "FreeRDP Rdp Client Recv RDP Code Execution Vulnerability(CVE-2017-2835)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-2835"], "modified": "2017-09-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96456", "id": "SSV:96456", "sourceData": "", "sourceHref": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-11-19T11:57:45", "description": "### Summary\r\nAn exploitable code execution vulnerability exists in the authentication functionality of FreeRDP 2.0.0-beta1+android11. A specially crafted server response can cause an out-of-bounds write resulting in an exploitable condition. An attacker can compromise the server or use a man in the middle attack to trigger this vulnerability.\r\n\r\n### Tested Versions\r\nFreeRDP 2.0.0-beta1+android11 - Windows, OSX, Linux\r\n\r\n### Product URLs\r\nhttp://www.freerdp.com/\r\n\r\n### CVSSv3 Score\r\n8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H\r\n\r\n### CWE\r\nCWE-129: Improper Validation of Array Index\r\n\r\n### Details\r\nFreeRDP is a remote desktop protocol implementation available for all of the major operating systems. Many of the commercial remote desktop protocol applications actually use this library as their core. The vulnerability arises in using untrusted data in handling the license authentication with the server.\r\n```\r\nint license_recv(rdpLicense* license, wStream* s)\r\n{\r\n BYTE bMsgType;\r\n UINT16 length;\r\n UINT16 channelId;\r\n\r\n if (!rdp_read_header(license->rdp, s, &length, &channelId)) [1]\r\n {\r\n WLog_ERR(TAG, \"Incorrect RDP header.\");\r\n return -1;\r\n }\r\n ...\r\n if (securityFlags & SEC_ENCRYPT)\r\n {\r\n if (!rdp_decrypt(license->rdp, s, length - 4, securityFlags)) [2]\r\n```\r\n\r\nAt [1], the RDP header is read in and a local variable, length, is assigned a value directly from the attacker controlled packet. The value of length is then subtracted from four, [2], and passed into a decryption function. If the attacker supplies a value less than four a negative value will be passed into decrypt. The attacker controlled length value goes through multiple functions and ends up passed in directly to the OpenSSL RC4 function call. This causes the program to write attacker influence data out of bounds causing a potentially exploitable condition to arise. A hexdump of the attacker controlled packet is below with the bytes pertaining to the length marked.\r\n```\r\n00000000 03 00 01 51 02 f0 80 68 00 01 03 eb 70 [03] 08 00 |...Q...h....p...| <-------\r\n00000010 00 3e 01 01 02 3e 01 7b 3c 31 a6 ae e8 74 f6 b4 |.>...>.{<1...t..|\r\n00000020 a5 03 90 e7 c2 c7 39 ba 53 1c 30 54 6e 90 05 d0 |......9.S.0Tn...|\r\n00000030 05 ce 44 18 91 83 81 00 00 04 00 2c 00 00 00 4d |..D........,...M|\r\n00000040 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 |.i.c.r.o.s.o.f.t|\r\n00000050 00 20 00 43 00 6f 00 72 00 70 00 6f 00 72 00 61 |. .C.o.r.p.o.r.a|\r\n00000060 00 74 00 69 00 6f 00 6e 00 00 00 08 00 00 00 32 |.t.i.o.n.......2|\r\n00000070 00 33 00 36 00 00 00 0d 00 04 00 01 00 00 00 03 |.3.6............|\r\n00000080 00 b8 00 01 00 00 00 01 00 00 00 01 00 00 00 06 |................|\r\n00000090 00 5c 00 52 53 41 31 48 00 00 00 00 02 00 00 3f |.\\.RSA1H.......?|\r\n000000a0 00 00 00 01 00 01 00 01 c7 c9 f7 8e 5a 38 e4 29 |............Z8.)|\r\n000000b0 c3 00 95 2d dd 4c 3e 50 45 0b 0d 9e 2a 5d 18 63 |...-.L>PE...*].c|\r\n000000c0 64 c4 2c f7 8f 29 d5 3f c5 35 22 34 ff ad 3a e6 |d.,..).?.5\"4..:.|\r\n000000d0 e3 95 06 ae 55 82 e3 c8 c7 b4 a8 47 c8 50 71 74 |....U......G.Pqt|\r\n000000e0 29 53 89 6d 9c ed 70 00 00 00 00 00 00 00 00 08 |)S.m..p.........|\r\n000000f0 00 48 00 a8 f4 31 b9 ab 4b e6 b4 f4 39 89 d6 b1 |.H...1..K...9...|\r\n00000100 da f6 1e ec b1 f0 54 3b 5e 3e 6a 71 b4 f7 75 c8 |......T;^>jq..u.| ```\r\n\r\n### Crash Information\r\n```\r\n% ./exc_handler FreeRDP-master/client/Mac/cli/MacFreeRDP.app/Contents/MacOS/MacFreeRDP /v:127.0.0.1:3377\r\n\r\n2017-05-09 15:41:35.334 MacFreeRDP[17761:133607] void * _Nullable NSMapGet(NSMapTable * _Nonnull, const void * \r\n_Nullable): map table argument is NULL\r\n[15:41:35:626] [17761:00429000] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Broken pipe\r\nMacFreeRDP(17761,0x7fff76107000) malloc: *** error for object 0x7ff62300ac08: incorrect checksum for freed object - object \r\nwas probably modified after being freed.\r\n*** set a breakpoint in malloc_error_break to debug\r\n\r\nCrashed thread log = \r\n: Dispatch queue: com.apple.main-thread\r\n0 libsystem_kernel.dylib 0x00007fff91f718ea __kill + 10\r\n1 libfreerdp2.2.dylib 0x000000010eac3e75 fatal_handler + 229\r\n2 libsystem_platform.dylib 0x00007fff88e0b52a _sigtramp + 26\r\n3 ??? 0x00007ff621801000 0 + 140695100723200\r\n4 libsystem_c.dylib 0x00007fff933af6df abort + 129\r\n5 libsystem_malloc.dylib 0x00007fff915db396 szone_error + 626\r\n6 libsystem_malloc.dylib 0x00007fff915d1373 small_free_list_remove_ptr + 152\r\n7 libsystem_malloc.dylib 0x00007fff915cfa7c szone_free_definite_size + 1790\r\n8 com.apple.CoreGraphics 0x00007fff8d9ed3e0 region_finalize + 44\r\n9 com.apple.CoreFoundation 0x00007fff85729af3 CFRelease + 371\r\n10 com.apple.CoreGraphics 0x00007fff8d9ed3af CGSReleaseRegion + 9\r\n11 com.apple.AppKit 0x00007fff8c92ea01 -[NSRegion dealloc] + 33\r\n12 com.apple.AppKit 0x00007fff8c99c4e1 -[_NSDisplayOperation dealloc] + 121\r\n13 com.apple.CoreFoundation 0x00007fff857a8b72 -[__NSArrayM removeObjectAtIndex:] + 290\r\n14 com.apple.AppKit 0x00007fff8c99c3a8 -[_NSDisplayOperationStack exitDisplayOperationForWindow:] + 449\r\n15 com.apple.AppKit 0x00007fff8c99d792 -[NSView \r\n_displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:] + 4408\r\n16 com.apple.AppKit 0x00007fff8c9983f5 -[NSView displayIfNeeded] + 1950\r\n17 com.apple.AppKit 0x00007fff8c997c3c -[NSWindow displayIfNeeded] + 232\r\n18 com.apple.AppKit 0x00007fff8d01c41b ___NSWindowGetDisplayCycleObserver_block_invoke6365 + 476\r\n19 com.apple.AppKit 0x00007fff8c9975d6 __37+[NSDisplayCycle currentDisplayCycle]_block_invoke + 941\r\n20 com.apple.QuartzCore 0x00007fff8374af71 CA::Transaction::run_commit_handlers(CATransactionPhase) + 85\r\n21 com.apple.QuartzCore 0x00007fff8374a42c CA::Context::commit_transaction(CA::Transaction*) + 160\r\n22 com.apple.QuartzCore 0x00007fff8374a0ec CA::Transaction::commit() + 508\r\n23 com.apple.QuartzCore 0x00007fff83755977 CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned \r\nlong, void*) + 71\r\n24 com.apple.CoreFoundation 0x00007fff857c5067 \r\n__CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23\r\n25 com.apple.CoreFoundation 0x00007fff857c4fd7 __CFRunLoopDoObservers + 391\r\n26 com.apple.CoreFoundation 0x00007fff857a3ef8 CFRunLoopRunSpecific + 328\r\n27 com.apple.HIToolbox 0x00007fff8bc5c935 RunCurrentEventLoopInMode + 235\r\n28 com.apple.HIToolbox 0x00007fff8bc5c677 ReceiveNextEventCommon + 184\r\n29 com.apple.HIToolbox 0x00007fff8bc5c5af _BlockUntilNextEventMatchingListInModeWithFilter + 71\r\n30 com.apple.AppKit 0x00007fff8c83fdf6 _DPSNextEvent + 1067\r\n31 com.apple.AppKit 0x00007fff8c83f226 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + \r\n454\r\n32 com.apple.AppKit 0x00007fff8c833d80 -[NSApplication run] + 682\r\n33 com.apple.AppKit 0x00007fff8c7fd368 NSApplicationMain + 1176\r\n34 libdyld.dylib 0x00007fff836995ad start + 1\r\n\r\nlog name is: ./crashlogs/crashlog.txt\r\n---\r\nexception=EXC_CRASH:signal=6:is_exploitable=yes:instruction_disassembly=jae \r\nCONSTANT:instruction_address=0x00007fff91f718ea:access_type=:access_address=0x0000000000000000:\r\nThe crash is suspected to be an exploitable issue due to the suspicious function in the stack trace of the crashing thread: ' \r\nszone_error '\r\n```\r\n\r\n### Exploit Proof-of-Concept\r\nRun included Python server and connect FreeRDP Client to it.\r\n\r\n### Timeline\r\n* 2017-05-24 - Vendor Disclosure\r\n* 2017-07-24 - Public Release\r\n\r\n### CREDIT\r\n* Discovered by Tyler Bohan of Cisco Talos.", "published": "2017-09-13T00:00:00", "type": "seebug", "title": "FreeRDP Rdp Client License Recv Code Execution Vulnerability(CVE-2017-2834)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-2834"], "modified": "2017-09-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96457", "id": "SSV:96457", "sourceData": "", "sourceHref": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-11-19T12:00:56", "description": "### Summary\r\nAn exploitable denial of service vulnerability exists within the handling of challenge packets in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.\r\n\r\n### Tested Versions\r\nFreeRDP 2.0.0-beta1+android11 - Windows, OSX, Linux\r\n\r\n### Product URLs\r\nhttp://www.freerdp.com/\r\n\r\n### CVSSv3 Score\r\n6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\r\n\r\n### CWE\r\nCWE-190: Integer Overflow or Wraparound\r\n\r\n### Details\r\nFreeRDP is a remote desktop protocol implementation available for all of the major operating systems. Many of the commercial remote desktop protocol applications actually use this library as their core. The vulnerability arises in the license_read_product_info functionality.\r\n```\r\nBOOL license_read_product_info(wStream* s, LICENSE_PRODUCT_INFO* productInfo)\r\n{\r\n\r\n Stream_Read_UINT32(s, productInfo->cbCompanyName); /* cbCompanyName (4 bytes) */\r\n\r\n if (Stream_GetRemainingLength(s) < productInfo->cbCompanyName + 4) [1]\r\n return FALSE;\r\n\r\n productInfo->pbCompanyName = (BYTE*) malloc(productInfo->cbCompanyName); [2]\r\n if (!productInfo->pbCompanyName)\r\n return FALSE;\r\n Stream_Read(s, productInfo->pbCompanyName, productInfo->cbCompanyName); [3]\r\n```\r\nThe license_read_product_info function reads in an unsigned integer from the attacker controlled packet. The function then adds four to this value for a check against the remaining length, [1]. There are no checks to detect and overflow here so an overly large value is able to be passed in. The malloc at, [2], succeeds on a 64 bit system causing an out of bounds read and denial of service condition to arise at, [3].\r\n\r\n### Crash Information\r\n```\r\n Crashed thread log = \r\n: Dispatch queue: com.apple.main-thread\r\n0 libsystem_kernel.dylib 0x00007fff955c6f72 mach_msg_trap + 10\r\n1 libsystem_kernel.dylib 0x00007fff955c63b3 mach_msg + 55\r\n2 com.apple.CoreFoundation 0x00007fff88e001c4 __CFRunLoopServiceMachPort + 212\r\n3 com.apple.CoreFoundation 0x00007fff88dff68c __CFRunLoopRun + 1356\r\n4 com.apple.CoreFoundation 0x00007fff88dfeed8 CFRunLoopRunSpecific + 296\r\n5 com.apple.HIToolbox 0x00007fff8f2b7935 RunCurrentEventLoopInMode + 235\r\n6 com.apple.HIToolbox 0x00007fff8f2b776f ReceiveNextEventCommon + 432\r\n7 com.apple.HIToolbox 0x00007fff8f2b75af _BlockUntilNextEventMatchingListInModeWithFilter + 71\r\n8 com.apple.AppKit 0x00007fff8fe9adf6 _DPSNextEvent + 1067\r\n9 com.apple.AppKit 0x00007fff8fe9a226 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + \r\n454\r\n10 com.apple.AppKit 0x00007fff8fe8ed80 -[NSApplication run] + 682\r\n11 com.apple.AppKit 0x00007fff8fe58368 NSApplicationMain + 1176\r\n12 libdyld.dylib 0x00007fff86cf45ad start + 1\r\n\r\nlog name is: ./crashlogs/1.crashlog.txt\r\n---\r\nexception=EXC_CRASH:signal=11:is_exploitable= \r\nno:instruction_disassembly=ret:instruction_address=0x00007fff955c6f72:access_type=:access_address=0x0000000000000000\r\n```\r\n### Exploit Proof-of-Concept\r\nRun included Python server and connect FreeRDP Client to it.\r\n\r\n### Timeline\r\n* 2017-05-24 - Vendor Disclosure\r\n* 2017-07-24 - Public Release\r\n\r\n### CREDIT\r\n* Discovered by Tyler Bohan of Cisco Talos.", "published": "2017-09-13T00:00:00", "type": "seebug", "title": "FreeRDP Rdp Client License Read Product Info Denial of Service Vulnerability(CVE-2017-2838)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-2838"], "modified": "2017-09-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96460", "id": "SSV:96460", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": ""}, {"lastseen": "2017-11-19T12:00:50", "description": "### Summary\r\nAn exploitable denial of service vulnerability exists within the handling of challenge packets in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.\r\n\r\n### Tested Versions\r\nFreeRDP 2.0.0-beta1+android11 - Windows, OSX, Linux\r\n\r\n### Product URLs\r\nhttp://www.freerdp.com/\r\n\r\n### CVSSv3 Score\r\n6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\r\n\r\n### CWE\r\nCWE-252: Unchecked Return Value\r\n\r\n### Details\r\nFreeRDP is a remote desktop protocol implementation available for all of the major operating systems. Many of the commercial remote desktop protocol applications actually use this library as their core. The vulnerability arises due to failure to check the return value result.\r\n```\r\nBOOL license_read_platform_challenge_packet(rdpLicense* license, wStream* s)\r\n{\r\n BYTE MacData[16];\r\n UINT32 ConnectFlags = 0;\r\n\r\n if (Stream_GetRemainingLength(s) < 4)\r\n return FALSE;\r\n\r\n\r\n license->EncryptedPlatformChallenge->type = BB_ANY_BLOB;\r\n license_read_binary_blob(s, license->EncryptedPlatformChallenge); [1]\r\n license->EncryptedPlatformChallenge->type = BB_ENCRYPTED_DATA_BLOB;\r\n\r\n if (Stream_GetRemainingLength(s) < 16)\r\n return FALSE;\r\n\r\n if (!license_decrypt_platform_challenge(license)) [2]\r\n```\r\n\r\nThe license structure is populated at, [1],and a return value check is omitted. This newly populated license is then passed into a decryption function directly. Below is the code for license_read_binary_blob, [1].\r\n```\r\nBOOL license_read_binary_blob(wStream* s, LICENSE_BLOB* blob)\r\n{\r\n UINT16 wBlobType;\r\n\r\n\r\n Stream_Read_UINT16(s, wBlobType); /* wBlobType (2 bytes) */\r\n Stream_Read_UINT16(s, blob->length); /* wBlobLen (2 bytes) */\r\n\r\n if (Stream_GetRemainingLength(s) < blob->length) [3]\r\n return FALSE;\r\n\r\n ...\r\n\r\n blob->type = wBlobType;\r\n blob->data = (BYTE*) malloc(blob->length); [4]\r\n```\r\nIn the read_blob function we can see the length is read in directly from the packet and then checked against the stream length, [3]. This will exit the function if the check fails and return false. Recall that the previous function does not check the return value so the type blob->data,[4], will not be initialized. The license_decrypt_platform_challenge function is shown below:\r\n```\r\nBOOL license_decrypt_platform_challenge(rdpLicense* license)\r\n{\r\n BOOL rc;\r\n WINPR_RC4_CTX* rc4;\r\n\r\n ...\r\n\r\n rc = winpr_RC4_Update(rc4, license->EncryptedPlatformChallenge->length,\r\n license->EncryptedPlatformChallenge->data, [5]\r\n license->PlatformChallenge->data);\r\n```\r\n\r\nThe license object is passed in and the EncryptedPlatformChallenge is used without validation, [5]. Recall the EncryptedPlatformChallenge data field is not set due to incorrect length so when the RC4 function attempts to use it a null pointer access happens and a denial of service condition arises.\r\n\r\n### Crash Information\r\n```\r\nCrashed thread log = \r\n: Dispatch queue: com.apple.main-thread\r\n0 com.apple.CoreGraphics 0x00007fff9109bb34 blt_pattern_blend_XXXX32 + 608\r\n1 com.apple.CoreGraphics 0x00007fff91058de4 argb32_mark + 19951\r\n2 libRIP.A.dylib 0x00007fff8f7e4cec RIPLayerBltShape + 1319\r\n3 libRIP.A.dylib 0x00007fff8f7e2713 ripc_Render + 319\r\n4 libRIP.A.dylib 0x00007fff8f7df1a2 ripc_DrawRects + 438\r\n5 com.apple.AppKit 0x00007fff900577cd __backing_store_DrawRects_block_invoke + 39\r\n6 com.apple.AppKit 0x00007fff90056a77 backing_store_delegate + 768\r\n7 com.apple.AppKit 0x00007fff900564fb backing_store_DrawRects + 1047\r\n8 com.apple.CoreGraphics 0x00007fff91050be7 CGContextFillRects + 107\r\n9 com.apple.CoreGraphics 0x00007fff91050b79 CGContextFillRect + 134\r\n10 com.apple.CoreGraphics 0x00007fff91098001 CGContextDrawImages + 3688\r\n11 com.apple.coreui 0x00007fff98fb858e _CUITileImageWithOperation + 365\r\n12 com.apple.coreui 0x00007fff98fb4e78 DrawOnePartElementFromRenditionWithOperation + 993\r\n13 com.apple.coreui 0x00007fff98fbdc5a -[CUIThemeFacet \r\n_drawSpecificRenditionKey:rendition:inFrame:context:alpha:operation:isFocused:isFlipped:] + 594\r\n14 com.apple.coreui 0x00007fff98fbd91a -[CUIThemeFacet \r\n_drawSpecificRenditionKey:inFrame:context:isFocused:isFlipped:] + 163\r\n15 com.apple.coreui 0x00007fff98fbbc32 -[CUIThemeFacet drawInFrame:isFocused:context:] + 137\r\n16 com.apple.coreui 0x00007fff98fd8f68 CUICoreThemeRenderer::DrawWindowFrameStandardNew(CUIDescriptor \r\nconst*) + 1558\r\n17 com.apple.coreui 0x00007fff98f5a065 CUIRenderer::Draw(CGRect, CGContext*, __CFDictionary const*, \r\n__CFDictionary const**) + 2341\r\n18 com.apple.coreui 0x00007fff98f5c992 CUIDraw + 175\r\n19 com.apple.AppKit 0x00007fff8ffeed25 __44-[NSAppearance _drawInRect:context:options:]_block_invoke + 64\r\n20 com.apple.AppKit 0x00007fff8fe55e91 -[NSCompositeAppearance _callCoreUIWithBlock:] + 183\r\n21 com.apple.AppKit 0x00007fff8ffeecde -[NSAppearance _drawInRect:context:options:] + 127\r\n22 com.apple.AppKit 0x00007fff900c0699 -[NSThemeFrame _maskCorners:clipRect:] + 259\r\n23 com.apple.AppKit 0x00007fff90612b0d -[NSThemeFrame _drawTransparentTitlebarInRect:] + 173\r\n24 com.apple.AppKit 0x00007fff900bd6b3 -[NSThemeFrame _drawUnifiedToolbar:] + 181\r\n25 com.apple.AppKit 0x00007fff900bd480 -[NSThemeFrame _drawTitleBar:] + 104\r\n26 com.apple.AppKit 0x00007fff900bd411 -[NSThemeFrame _drawFrameInterior:clip:] + 83\r\n27 com.apple.AppKit 0x00007fff900bd3b1 -[NSThemeFrame drawFrame:] + 892\r\n28 com.apple.AppKit 0x00007fff900bcf98 -[NSFrameView drawRect:] + 1098\r\n29 com.apple.AppKit 0x00007fff900bcb33 -[NSThemeFrame drawRect:] + 280\r\n30 com.apple.AppKit 0x00007fff8fffcc86 -[NSView _drawRect:clip:] + 3550\r\n31 com.apple.AppKit 0x00007fff8fffacf5 -[NSView \r\n_recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 3136\r\n32 com.apple.AppKit 0x00007fff8fff9be0 -[NSThemeFrame \r\n_recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 334\r\n33 com.apple.AppKit 0x00007fff8fff7feb -[NSView _displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:] \r\n+ 2449\r\n34 com.apple.AppKit 0x00007fff8fff33f5 -[NSView displayIfNeeded] + 1950\r\n35 com.apple.AppKit 0x00007fff8fff2c3c -[NSWindow displayIfNeeded] + 232\r\n36 com.apple.AppKit 0x00007fff9067741b ___NSWindowGetDisplayCycleObserver_block_invoke6365 + 476\r\n37 com.apple.AppKit 0x00007fff8fff25d6 __37+[NSDisplayCycle currentDisplayCycle]_block_invoke + 941\r\n38 com.apple.QuartzCore 0x00007fff86da5f71 CA::Transaction::run_commit_handlers(CATransactionPhase) + 85\r\n39 com.apple.QuartzCore 0x00007fff86da542c CA::Context::commit_transaction(CA::Transaction*) + 160\r\n40 com.apple.QuartzCore 0x00007fff86da50ec CA::Transaction::commit() + 508\r\n41 com.apple.QuartzCore 0x00007fff86db0977 CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned \r\nlong, void*) + 71\r\n42 com.apple.CoreFoundation 0x00007fff88e20067 \r\n__CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23\r\n43 com.apple.CoreFoundation 0x00007fff88e1ffd7 __CFRunLoopDoObservers + 391\r\n44 com.apple.CoreFoundation 0x00007fff88dfeef8 CFRunLoopRunSpecific + 328\r\n45 com.apple.HIToolbox 0x00007fff8f2b7935 RunCurrentEventLoopInMode + 235\r\n46 com.apple.HIToolbox 0x00007fff8f2b7677 ReceiveNextEventCommon + 184\r\n47 com.apple.HIToolbox 0x00007fff8f2b75af _BlockUntilNextEventMatchingListInModeWithFilter + 71\r\n48 com.apple.AppKit 0x00007fff8fe9adf6 _DPSNextEvent + 1067\r\n49 com.apple.AppKit 0x00007fff8fe9a226 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + \r\n454\r\n50 com.apple.AppKit 0x00007fff8fe8ed80 -[NSApplication run] + 682\r\n51 com.apple.AppKit 0x00007fff8fe58368 NSApplicationMain + 1176\r\n52 libdyld.dylib 0x00007fff86cf45ad start + 1\r\n\r\nlog name is: ./crashlogs/1.crashlog.txt\r\n---\r\nexception=EXC_CRASH:signal=11:is_exploitable= no:instruction_disassembly=.byte 0xc4 #bad \r\nopcode:instruction_address=0x00007fff9109bb34:access_type=:access_address=0x0000000000000000:\r\n```\r\n\r\n### Exploit Proof-of-Concept\r\nRun included Python server and connect FreeRDP Client to it.\r\n\r\n### Timeline\r\n* 2017-05-24 - Vendor Disclosure\r\n* 2017-07-24 - Public Release\r\n\r\n### CREDIT\r\n* Discovered by Tyler Bohan of Cisco Talos.", "published": "2017-09-13T00:00:00", "type": "seebug", "title": "FreeRDP Rdp Client License Read Challenge Packet Denial of Service Vulnerability(CVE-2017-2839)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-2839"], "modified": "2017-09-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96461", "id": "SSV:96461", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": ""}, {"lastseen": "2017-11-19T11:58:03", "description": "### Summary\r\nAn exploitable denial of service vulnerability exists within the reading of proprietary server certificates in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.\r\n\r\n### Tested Versions\r\nFreeRDP 2.0.0-beta1+android11 - Windows, OSX, Linux\r\n\r\n### Product URLs\r\nhttp://www.freerdp.com/\r\n\r\n### CVSSv3 Score\r\n6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\r\n\r\n### CWE\r\nCWE-190: Integer Overflow or Wraparound\r\n\r\n### Details\r\nFreeRDP is a remote desktop protocol implementation available for all of the major operating systems. Many of the commercial remote desktop protocol applications actually use this library as their core. The vulnerability arises in the parsing of proprietary certificates.\r\n```\r\nstatic BOOL certificate_process_server_public_key(rdpCertificate* certificate, wStream* s, UINT32 length)\r\n{\r\n BYTE magic[4];\r\n UINT32 keylen;\r\n UINT32 bitlen;\r\n UINT32 datalen;\r\n UINT32 modlen;\r\n\r\n ... \r\n\r\n Stream_Read_UINT32(s, keylen);\r\n Stream_Read_UINT32(s, bitlen);\r\n Stream_Read_UINT32(s, datalen); \r\n modlen = keylen - 8; [1]\r\n\r\n if (Stream_GetRemainingLength(s) < modlen + 8) // count padding [2]\r\n return FALSE;\r\n\r\n certificate->cert_info.ModulusLength = modlen;\r\n certificate->cert_info.Modulus = malloc(certificate->cert_info.ModulusLength); [3]\r\n\r\n if (!certificate->cert_info.Modulus)\r\n return FALSE;\r\n\r\n Stream_Read(s, certificate->cert_info.Modulus, certificate->cert_info.ModulusLength); [4]\r\n```\r\n\r\nIn processing a servers proprietary certificate, the function calls out to read the public key. It takes the key length directly from the packet and decrements eight from it, [1]. It then does a check on the length by adding the eight back and comparing it to the stream length. The vulnerability arises here when a value less than eight is passed in. It passes the check but wraps around and causes a large allocation to be made, [3]. The denial of service arises at, [4] when the stream is now read into the oversized buffer and an out-of-bounds read occurs.\r\n\r\n### Crash Information\r\n```\r\nCrashed thread log = \r\n: Dispatch queue: com.apple.main-thread\r\n0 com.apple.CoreGraphics 0x00007fff8e8fc4de argb32_image_mark_RGB32 + 423\r\n1 com.apple.CoreGraphics 0x00007fff8e8fc29d argb32_image_mark_image + 1085\r\n2 com.apple.CoreGraphics 0x00007fff8e8b3d92 argb32_image + 5050\r\n3 libRIP.A.dylib 0x00007fff8d02d4f2 ripl_Mark + 23\r\n4 libRIP.A.dylib 0x00007fff8d02d491 RIPLayerBltImage + 1185\r\n5 libRIP.A.dylib 0x00007fff8d02ad0a ripc_DrawImage + 1151\r\n6 com.apple.CoreGraphics 0x00007fff8e90d37f CGContextDelegateDrawImage + 48\r\n7 com.apple.AppKit 0x00007fff8d89b1c8 __backing_store_DrawImage_block_invoke + 70\r\n8 com.apple.AppKit 0x00007fff8d896a77 backing_store_delegate + 768\r\n9 com.apple.AppKit 0x00007fff8d89b137 backing_store_DrawImage + 525\r\n10 com.apple.CoreGraphics 0x00007fff8e8a1813 CGContextDrawImageWithOptions + 571\r\n11 com.apple.CoreGraphics 0x00007fff8e8d7b23 CGContextDrawImages + 2442\r\n12 com.apple.coreui 0x00007fff967f7cce DrawNinePartImageWithOperation + 5357\r\n13 com.apple.coreui 0x00007fff967f67c2 DrawNinePartElementFromRenditionWithOperation + 471\r\n14 com.apple.coreui 0x00007fff967fdcce -[CUIThemeFacet \r\n_drawSpecificRenditionKey:rendition:inFrame:context:alpha:operation:isFocused:isFlipped:] + 710\r\n15 com.apple.coreui 0x00007fff967fd91a -[CUIThemeFacet \r\n_drawSpecificRenditionKey:inFrame:context:isFocused:isFlipped:] + 163\r\n16 com.apple.coreui 0x00007fff967fbc32 -[CUIThemeFacet drawInFrame:isFocused:context:] + 137\r\n17 com.apple.coreui 0x00007fff96819500 CUICoreThemeRenderer::DrawWindowFrameStandardNew(CUIDescriptor \r\nconst*) + 2990\r\n18 com.apple.coreui 0x00007fff9679a065 CUIRenderer::Draw(CGRect, CGContext*, __CFDictionary const*, \r\n__CFDictionary const**) + 2341\r\n19 com.apple.coreui 0x00007fff9679c992 CUIDraw + 175\r\n20 com.apple.AppKit 0x00007fff8d82ed25 __44-[NSAppearance _drawInRect:context:options:]_block_invoke + 64\r\n21 com.apple.AppKit 0x00007fff8d695e91 -[NSCompositeAppearance _callCoreUIWithBlock:] + 183\r\n22 com.apple.AppKit 0x00007fff8d82ecde -[NSAppearance _drawInRect:context:options:] + 127\r\n23 com.apple.AppKit 0x00007fff8d900699 -[NSThemeFrame _maskCorners:clipRect:] + 259\r\n24 com.apple.AppKit 0x00007fff8de52b0d -[NSThemeFrame _drawTransparentTitlebarInRect:] + 173\r\n25 com.apple.AppKit 0x00007fff8d8fd6b3 -[NSThemeFrame _drawUnifiedToolbar:] + 181\r\n26 com.apple.AppKit 0x00007fff8d8fd480 -[NSThemeFrame _drawTitleBar:] + 104\r\n27 com.apple.AppKit 0x00007fff8d8fd411 -[NSThemeFrame _drawFrameInterior:clip:] + 83\r\n28 com.apple.AppKit 0x00007fff8d8fd3b1 -[NSThemeFrame drawFrame:] + 892\r\n29 com.apple.AppKit 0x00007fff8d8fcf98 -[NSFrameView drawRect:] + 1098\r\n30 com.apple.AppKit 0x00007fff8d8fcb33 -[NSThemeFrame drawRect:] + 280\r\n31 com.apple.AppKit 0x00007fff8d83cc86 -[NSView _drawRect:clip:] + 3550\r\n32 com.apple.AppKit 0x00007fff8d83acf5 -[NSView \r\n_recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 3136\r\n33 com.apple.AppKit 0x00007fff8d839be0 -[NSThemeFrame \r\n_recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 334\r\n34 com.apple.AppKit 0x00007fff8d837feb -[NSView \r\n_displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:] + 2449\r\n35 com.apple.AppKit 0x00007fff8d8333f5 -[NSView displayIfNeeded] + 1950\r\n36 com.apple.AppKit 0x00007fff8d832c3c -[NSWindow displayIfNeeded] + 232\r\n37 com.apple.AppKit 0x00007fff8deb741b ___NSWindowGetDisplayCycleObserver_block_invoke6365 + 476\r\n38 com.apple.AppKit 0x00007fff8d8325d6 __37+[NSDisplayCycle currentDisplayCycle]_block_invoke + 941\r\n39 com.apple.QuartzCore 0x00007fff845e5f71 CA::Transaction::run_commit_handlers(CATransactionPhase) + 85\r\n40 com.apple.QuartzCore 0x00007fff845e542c CA::Context::commit_transaction(CA::Transaction*) + 160\r\n41 com.apple.QuartzCore 0x00007fff845e50ec CA::Transaction::commit() + 508\r\n42 com.apple.QuartzCore 0x00007fff845f0977 CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned \r\nlong, void*) + 71\r\n43 com.apple.CoreFoundation 0x00007fff86660067 \r\n__CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23\r\n44 com.apple.CoreFoundation 0x00007fff8665ffd7 __CFRunLoopDoObservers + 391\r\n45 com.apple.CoreFoundation 0x00007fff8663eef8 CFRunLoopRunSpecific + 328\r\n46 com.apple.HIToolbox 0x00007fff8caf7935 RunCurrentEventLoopInMode + 235\r\n47 com.apple.HIToolbox 0x00007fff8caf7677 ReceiveNextEventCommon + 184\r\n48 com.apple.HIToolbox 0x00007fff8caf75af _BlockUntilNextEventMatchingListInModeWithFilter + 71\r\n49 com.apple.AppKit 0x00007fff8d6dadf6 _DPSNextEvent + 1067\r\n50 com.apple.AppKit 0x00007fff8d6da226 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] \r\n454 51 com.apple.AppKit 0x00007fff8d6ced80 -[NSApplication run] + 682 52 com.apple.AppKit 0x00007fff8d698368 NSApplicationMain + 1176 53 libdyld.dylib 0x00007fff845345ad start + 1\r\nlog name is: ./crashlogs/1.crashlog.txt\r\nexception=EXCCRASH:signal=11:isexploitable= no:instructiondisassembly=cmpq $CONSTANT,%rax:instructionaddress=0x00007fff8e8fc4de:accesstype=:accessaddress=0x0000000000000000:\r\n```\r\n### Exploit Proof-of-Concept\r\nRun included Python server and connect FreeRDP Client to it.\r\n\r\n### Timeline\r\n* 2017-05-24 - Vendor Disclosure\r\n* 2017-07-24 - Public Release\r\n\r\n### CREDIT\r\n* Discovered by Tyler Bohan of Cisco Talos.", "published": "2017-09-13T00:00:00", "type": "seebug", "title": "FreeRDP Rdp Client Read Server Proprietary Certificate Denial of Service Vulnerability(CVE-2017-2836)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-2836"], "modified": "2017-09-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96458", "id": "SSV:96458", "sourceData": "", "sourceHref": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-11-19T11:57:45", "description": "### Summary\r\nAn exploitable denial of service vulnerability exists within the handling of security data in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.\r\n\r\n### Tested Versions\r\nFreeRDP 2.0.0-beta1+android11 - Windows, OSX, Linux\r\n\r\n### Product URLs\r\nhttp://www.freerdp.com/\r\n\r\n### CVSSv3 Score\r\n6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\r\n\r\n### CWE\r\nCWE-190: Integer Overflow or Wraparound\r\n\r\n### Details\r\nFreeRDP is a remote desktop protocol implementation available for all of the major operating systems. Many of the commercial remote desktop protocol applications actually use this library as their core. The vulnerability arises in the gcc_read_server_security_data function.\r\n```\r\nBOOL gcc_read_server_security_data(wStream* s, rdpMcs* mcs) {\r\n\r\n ...\r\n\r\n Stream_Read_UINT32(s, settings->ServerRandomLength); /* serverRandomLen */\r\n Stream_Read_UINT32(s, settings->ServerCertificateLength); /* serverCertLen */ [1]\r\n\r\n if (Stream_GetRemainingLength(s) < settings->ServerRandomLength + settings->ServerCertificateLength) [2]\r\n return FALSE;\r\n\r\n if ((settings->ServerRandomLength <= 0) || (settings->ServerCertificateLength <= 0))\r\n return FALSE;\r\n\r\n /* serverRandom */\r\n settings->ServerRandom = (BYTE*) malloc(settings->ServerRandomLength);\r\n\r\n if (!settings->ServerRandom)\r\n return FALSE;\r\n\r\n Stream_Read(s, settings->ServerRandom, settings->ServerRandomLength); [3]\r\n /* serverCertificate */\r\n settings->ServerCertificate = (BYTE*) malloc(settings->ServerCertificateLength);\r\n\r\n if (!settings->ServerCertificate)\r\n return FALSE;\r\n\r\n Stream_Read(s, settings->ServerCertificate, settings->ServerCertificateLength);\r\n certificate_free(settings->RdpServerCertificate);\r\n```\r\nThe read_server_security_data function reads in two length values from the packet, [1]. It then does an obscure check to ensure that it is not going over the value of the remaining length. With both of these values being taken from the packet it is simple to overflow this check and continue on with a larger length than what is available. When the overly large length data is attempted to be read from the buffer an out-of-bounds read occurs and an exploitable denail of service condition arises.\r\n\r\n### Crash Information\r\n```\r\n Crashed thread log = \r\n: Dispatch queue: com.apple.main-thread\r\n0 libsystem_kernel.dylib 0x00007fff955c6f72 mach_msg_trap + 10\r\n1 libsystem_kernel.dylib 0x00007fff955c63b3 mach_msg + 55\r\n2 com.apple.CoreFoundation 0x00007fff88e001c4 __CFRunLoopServiceMachPort + 212\r\n3 com.apple.CoreFoundation 0x00007fff88dff68c __CFRunLoopRun + 1356\r\n4 com.apple.CoreFoundation 0x00007fff88dfeed8 CFRunLoopRunSpecific + 296\r\n5 com.apple.HIToolbox 0x00007fff8f2b7935 RunCurrentEventLoopInMode + 235\r\n6 com.apple.HIToolbox 0x00007fff8f2b776f ReceiveNextEventCommon + 432\r\n7 com.apple.HIToolbox 0x00007fff8f2b75af _BlockUntilNextEventMatchingListInModeWithFilter + 71\r\n8 com.apple.AppKit 0x00007fff8fe9adf6 _DPSNextEvent + 1067\r\n9 com.apple.AppKit 0x00007fff8fe9a226 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + \r\n454\r\n10 com.apple.AppKit 0x00007fff8fe8ed80 -[NSApplication run] + 682\r\n11 com.apple.AppKit 0x00007fff8fe58368 NSApplicationMain + 1176\r\n12 libdyld.dylib 0x00007fff86cf45ad start + 1\r\n\r\nlog name is: ./crashlogs/1.crashlog.txt\r\n---\r\nexception=EXC_CRASH:signal=11:is_exploitable= \r\nno:instruction_disassembly=ret:instruction_address=0x00007fff955c6f72:access_type=:access_address=0x0000000000000000\r\n```\r\n\r\n### Exploit Proof-of-Concept\r\nRun included Python server and connect FreeRDP Client to it.\r\n\r\n### Timeline\r\n* 2017-05-24 - Vendor Disclosure\r\n* 2017-07-24 - Public Release\r\n\r\n### CREDIT\r\n* Discovered by Tyler Bohan of Cisco Talos.", "published": "2017-09-13T00:00:00", "type": "seebug", "title": "FreeRDP Rdp Client GCC Read Server Security Data Denial of Service Vulnerability(CVE-2017-2837)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-2837"], "modified": "2017-09-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96459", "id": "SSV:96459", "sourceData": "", "sourceHref": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "talos": [{"lastseen": "2019-05-29T19:19:52", "bulletinFamily": "info", "cvelist": ["CVE-2017-2835"], "description": "# Talos Vulnerability Report\n\n### TALOS-2017-0337\n\n## FreeRDP Rdp Client Recv RDP Code Execution Vulnerability\n\n##### July 24, 2017\n\n##### CVE Number\n\nCVE-2017-2835\n\n### Summary\n\nAn exploitable code execution vulnerability exists in the RDP receive functionality of FreeRDP 2.0.0-beta1+android11. A specially crafted server response can cause an out-of-bounds write resulting in an exploitable condition. An attacker can compromise the server or use a man in the middle to trigger this vulnerability.\n\n### Tested Versions\n\nFreeRDP 2.0.0-beta1+android11 - Windows, OSX, Linux\n\n### Product URLs\n\n<http://www.freerdp.com/>\n\n### CVSSv3 Score\n\n8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H\n\n### CWE\n\nCWE-129: Improper Validation of Array Index\n\n### Details\n\nFreeRDP is a remote desktop protocol implementation available for all of the major operating systems. Many of the commercial remote desktop protocol applications actually use this library as their core. The vulnerability arises in using untrusted data in handling the reception of a RDP packet with the server.\n \n \n static int rdp_recv_tpkt_pdu(rdpRdp* rdp, wStream* s)\n {\n UINT16 length;\n UINT16 pduType;\n UINT16 pduLength;\n UINT16 pduSource;\n UINT16 channelId = 0;\n UINT16 securityFlags = 0;\n int nextPosition;\n \n \n if (!rdp_read_header(rdp, s, &length, &channelId)) [1]\n { \n \n ...\n \n if (rdp->settings->UseRdpSecurityLayer)\n {\n if (!rdp_read_security_header(s, &securityFlags)) [2]\n {\n ...\n \n if (securityFlags & (SEC_ENCRYPT | SEC_REDIRECTION_PKT))\n {\n if (!rdp_decrypt(rdp, s, length - 4, securityFlags)) [3]\n {\n \n\nAt [1], the RDP header is read in and a local variable, length, is assigned a value directly from the attacker controlled packet. Another value, [2], is read in from the packet to determine if encryption is set on this packet. This check is simply anding a value in the packet with a constant and is easily passed. The value of length is then subtracted from four, [3], and passed into a decryption function. If the attacker supplies a value less than four a negative value will be passed into decrypt. The attacker controlled length value goes through multiple functions and ends up passed in directly to the OpenSSL RC4 function call. This causes the program to write attacker influence data out of bounds causing a potentially exploitable condition to arise. A hexdump of the attacker controlled packet is below with the bytes pertaining to the length marked.\n \n \n 00000000 03 00 00 28 02 f0 80 68 00 01 03 eb 70 [03] 08 04 |...(...h....p...| <-------\n 00000010 00 00 16 00 17 00 ea 03 ea 03 01 00 00 01 08 00 |................|\n 00000020 1f 00 00 00 01 00 ea 03 03 00 00 2c 02 f0 80 68 |...........,...h|\n 00000030 00 01 03 eb 70 1e 00 00 00 00 1a 00 17 00 ea 03 |....p...........|\n 00000040 ea 03 01 00 00 01 0c 00 14 00 00 00 04 00 00 00 |................|\n 00000050 ea 03 00 00 03 00 00 2c 02 f0 80 68 00 01 03 eb |.......,...h....|\n 00000060 70 1e 00 00 00 00 1a 00 17 00 ea 03 ea 03 01 00 |p...............|\n 00000070 00 01 0c 00 14 00 00 00 02 00 00 00 ea 03 00 00 |................|\n 00000080 03 00 00 d1 02 f0 80 68 00 01 03 eb 70 80 c2 00 |.......h....p...|\n 00000090 00 00 00 be 00 17 00 ea 03 ea 03 01 00 00 01 b0 |................|\n \n\n### Crash Information\n \n \n Crashed thread log = \n : Dispatch queue: com.apple.main-thread\n 0 libgmalloc.dylib 0x00000001037ef54a GuardMalloc_mallocInternal + 1136\n 1 libgmalloc.dylib 0x00000001037eee70 GuardMalloc_calloc + 81\n 2 libsystem_malloc.dylib 0x00007fff94c2b9a6 malloc_zone_calloc + 78\n 3 libsystem_malloc.dylib 0x00007fff94c2c462 calloc + 49\n 4 libobjc.A.dylib 0x00007fff9988a330 allocateBuckets(unsigned int) + 30\n 5 libobjc.A.dylib 0x00007fff9987fc53 cache_t::reallocate(unsigned int, unsigned int) + 43\n 6 libobjc.A.dylib 0x00007fff9987f693 cache_fill + 177\n 7 libobjc.A.dylib 0x00007fff9987edfc lookUpImpOrForward + 423\n 8 libobjc.A.dylib 0x00007fff99879591 objc_msgSend + 209\n 9 com.apple.AppKit 0x00007fff8ffa8a52 -[NSCell dealloc] + 364\n 10 com.apple.AppKit 0x00007fff8ffa88cd -[NSActionCell dealloc] + 116\n 11 com.apple.AppKit 0x00007fff8ffa8dfd -[NSButtonCell dealloc] + 395\n 12 com.apple.AppKit 0x00007fff8ffa85b9 -[NSControl dealloc] + 83\n 13 com.apple.AppKit 0x00007fff9018d510 -[NSAlert dealloc] + 104\n 14 com.apple.CoreFoundation 0x00007fff88dab5a8 -[__NSArrayI dealloc] + 120\n 15 libobjc.A.dylib 0x00007fff9987eb3b (anonymous namespace)::AutoreleasePoolPage::pop(void*) + 477\n 16 com.apple.CoreFoundation 0x00007fff88dbec12 _CFAutoreleasePoolPop + 50\n 17 com.apple.Foundation 0x00007fff887659ea -[NSAutoreleasePool drain] + 153\n 18 com.apple.Foundation 0x00007fff887a25ba _NSAppleEventManagerGenericHandler + 121\n 19 com.apple.AE 0x00007fff87c47261 aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) \n + 531\n 20 com.apple.AE 0x00007fff87c46fe8 dispatchEventAndSendReply(AEDesc const*, AEDesc*) + 31\n 21 com.apple.AE 0x00007fff87c46f04 aeProcessAppleEvent + 288\n 22 com.apple.HIToolbox 0x00007fff8f2c7af9 AEProcessAppleEvent + 55\n 23 com.apple.AppKit 0x00007fff8fe9b290 _DPSNextEvent + 2245\n 24 com.apple.AppKit 0x00007fff8fe9a226 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + \n 454\n 25 com.apple.AppKit 0x00007fff8fe8ed80 -[NSApplication run] + 682\n 26 com.apple.AppKit 0x00007fff8fe58368 NSApplicationMain + 1176\n 27 libdyld.dylib 0x00007fff86cf45ad start + 1\n \n log name is: ./crashlogs/1.crashlog.txt\n ---\n exception=EXC_CRASH:signal=11:is_exploitable=yes:instruction_disassembly=movq %rax,CONSTANT(%rdi,%rsi):instruction_address=0x00000001037ef54a:access_type=:access_address=0x0000000000000000:\n The crash is suspected to be an exploitable issue due to the suspicious function in the stack trace of the crashing thread: ' calloc ' \n \n\n### Exploit Proof-of-Concept\n\nRun included Python server and connect FreeRDP Client to it.\n\n### Timeline\n\n2017-05-24 - Vendor Disclosure \n2017-07-24 - Public Release\n\n##### Credit\n\nDiscovered by Tyler Bohan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2017-0338\n\nPrevious Report\n\nTALOS-2017-0336\n", "edition": 10, "modified": "2017-07-24T00:00:00", "published": "2017-07-24T00:00:00", "id": "TALOS-2017-0337", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0337", "title": "FreeRDP Rdp Client Recv RDP Code Execution Vulnerability", "type": "talos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T19:20:03", "bulletinFamily": "info", "cvelist": ["CVE-2017-2838"], "description": "# Talos Vulnerability Report\n\n### TALOS-2017-0340\n\n## FreeRDP Rdp Client License Read Product Info Denial of Service Vulnerability\n\n##### July 24, 2017\n\n##### CVE Number\n\nCVE-2017-2838 \n\n### Summary\n\nAn exploitable denial of service vulnerability exists within the handling of challenge packets in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.\n\n### Tested Versions\n\nFreeRDP 2.0.0-beta1+android11 - Windows, OSX, Linux\n\n### Product URLs\n\n<http://www.freerdp.com/>\n\n### CVSSv3 Score\n\n6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\n\n### CWE\n\nCWE-190: Integer Overflow or Wraparound\n\n### Details\n\nFreeRDP is a remote desktop protocol implementation available for all of the major operating systems. Many of the commercial remote desktop protocol applications actually use this library as their core. The vulnerability arises in the license_read_product_info functionality.\n \n \n BOOL license_read_product_info(wStream* s, LICENSE_PRODUCT_INFO* productInfo)\n {\n \n Stream_Read_UINT32(s, productInfo->cbCompanyName); /* cbCompanyName (4 bytes) */\n \n if (Stream_GetRemainingLength(s) < productInfo->cbCompanyName + 4) [1]\n return FALSE;\n \n productInfo->pbCompanyName = (BYTE*) malloc(productInfo->cbCompanyName); [2]\n if (!productInfo->pbCompanyName)\n return FALSE;\n Stream_Read(s, productInfo->pbCompanyName, productInfo->cbCompanyName); [3]\n \n\nThe license_read_product_info function reads in an unsigned integer from the attacker controlled packet. The function then adds four to this value for a check against the remaining length, [1]. There are no checks to detect and overflow here so an overly large value is able to be passed in. The malloc at, [2], succeeds on a 64 bit system causing an out of bounds read and denial of service condition to arise at, [3].\n\n### Crash Information\n \n \n Crashed thread log = \n : Dispatch queue: com.apple.main-thread\n 0 libsystem_kernel.dylib 0x00007fff955c6f72 mach_msg_trap + 10\n 1 libsystem_kernel.dylib 0x00007fff955c63b3 mach_msg + 55\n 2 com.apple.CoreFoundation 0x00007fff88e001c4 __CFRunLoopServiceMachPort + 212\n 3 com.apple.CoreFoundation 0x00007fff88dff68c __CFRunLoopRun + 1356\n 4 com.apple.CoreFoundation 0x00007fff88dfeed8 CFRunLoopRunSpecific + 296\n 5 com.apple.HIToolbox 0x00007fff8f2b7935 RunCurrentEventLoopInMode + 235\n 6 com.apple.HIToolbox 0x00007fff8f2b776f ReceiveNextEventCommon + 432\n 7 com.apple.HIToolbox 0x00007fff8f2b75af _BlockUntilNextEventMatchingListInModeWithFilter + 71\n 8 com.apple.AppKit 0x00007fff8fe9adf6 _DPSNextEvent + 1067\n 9 com.apple.AppKit 0x00007fff8fe9a226 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + \n 454\n 10 com.apple.AppKit 0x00007fff8fe8ed80 -[NSApplication run] + 682\n 11 com.apple.AppKit 0x00007fff8fe58368 NSApplicationMain + 1176\n 12 libdyld.dylib 0x00007fff86cf45ad start + 1\n \n log name is: ./crashlogs/1.crashlog.txt\n ---\n exception=EXC_CRASH:signal=11:is_exploitable= \n no:instruction_disassembly=ret:instruction_address=0x00007fff955c6f72:access_type=:access_address=0x0000000000000000\n \n\n### Exploit Proof-of-Concept\n\nRun included Python server and connect FreeRDP Client to it.\n\n### Timeline\n\n2017-05-24 - Vendor Disclosure \n2017-07-24 - Public Release\n\n##### Credit\n\nDiscovered by Tyler Bohan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2017-0341\n\nPrevious Report\n\nTALOS-2017-0339\n", "edition": 9, "modified": "2017-07-24T00:00:00", "published": "2017-07-24T00:00:00", "id": "TALOS-2017-0340", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0340", "title": "FreeRDP Rdp Client License Read Product Info Denial of Service Vulnerability", "type": "talos", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-07-01T21:24:53", "bulletinFamily": "info", "cvelist": ["CVE-2017-2839"], "description": "# Talos Vulnerability Report\n\n### TALOS-2017-0341\n\n## FreeRDP Rdp Client License Read Challenge Packet Denial of Service Vulnerability\n\n##### July 24, 2017\n\n##### CVE Number\n\nCVE-2017-2839 \n\n### Summary\n\nAn exploitable denial of service vulnerability exists within the handling of challenge packets in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.\n\n### Tested Versions\n\nFreeRDP 2.0.0-beta1+android11 - Windows, OSX, Linux\n\n### Product URLs\n\n<http://www.freerdp.com/>\n\n### CVSSv3 Score\n\n6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\n\n### CWE\n\nCWE-252: Unchecked Return Value\n\n### Details\n\nFreeRDP is a remote desktop protocol implementation available for all of the major operating systems. Many of the commercial remote desktop protocol applications actually use this library as their core. The vulnerability arises due to failure to check the return value result.\n \n \n BOOL license_read_platform_challenge_packet(rdpLicense* license, wStream* s)\n {\n BYTE MacData[16];\n UINT32 ConnectFlags = 0;\n \n if (Stream_GetRemainingLength(s) < 4)\n return FALSE;\n \n \n license->EncryptedPlatformChallenge->type = BB_ANY_BLOB;\n license_read_binary_blob(s, license->EncryptedPlatformChallenge); [1]\n license->EncryptedPlatformChallenge->type = BB_ENCRYPTED_DATA_BLOB;\n \n if (Stream_GetRemainingLength(s) < 16)\n return FALSE;\n \n if (!license_decrypt_platform_challenge(license)) [2]\n \n\nThe license structure is populated at, [1],and a return value check is omitted. This newly populated license is then passed into a decryption function directly. Below is the code for license_read_binary_blob, [1].\n \n \n BOOL license_read_binary_blob(wStream* s, LICENSE_BLOB* blob)\n {\n UINT16 wBlobType;\n \n \n Stream_Read_UINT16(s, wBlobType); /* wBlobType (2 bytes) */\n Stream_Read_UINT16(s, blob->length); /* wBlobLen (2 bytes) */\n \n if (Stream_GetRemainingLength(s) < blob->length) [3]\n return FALSE;\n \n ...\n \n blob->type = wBlobType;\n blob->data = (BYTE*) malloc(blob->length); [4]\n \n\nIn the read_blob function we can see the length is read in directly from the packet and then checked against the stream length, [3]. This will exit the function if the check fails and return false. Recall that the previous function does not check the return value so the type blob->data,[4], will not be initialized. The license_decrypt_platform_challenge function is shown below:\n \n \n BOOL license_decrypt_platform_challenge(rdpLicense* license)\n {\n BOOL rc;\n WINPR_RC4_CTX* rc4;\n \n ...\n \n rc = winpr_RC4_Update(rc4, license->EncryptedPlatformChallenge->length,\n license->EncryptedPlatformChallenge->data, [5]\n license->PlatformChallenge->data);\n \n\nThe license object is passed in and the EncryptedPlatformChallenge is used without validation, [5]. Recall the EncryptedPlatformChallenge data field is not set due to incorrect length so when the RC4 function attempts to use it a null pointer access happens and a denial of service condition arises.\n\n### Crash Information\n \n \n Crashed thread log = \n : Dispatch queue: com.apple.main-thread\n 0 com.apple.CoreGraphics 0x00007fff9109bb34 blt_pattern_blend_XXXX32 + 608\n 1 com.apple.CoreGraphics 0x00007fff91058de4 argb32_mark + 19951\n 2 libRIP.A.dylib 0x00007fff8f7e4cec RIPLayerBltShape + 1319\n 3 libRIP.A.dylib 0x00007fff8f7e2713 ripc_Render + 319\n 4 libRIP.A.dylib 0x00007fff8f7df1a2 ripc_DrawRects + 438\n 5 com.apple.AppKit 0x00007fff900577cd __backing_store_DrawRects_block_invoke + 39\n 6 com.apple.AppKit 0x00007fff90056a77 backing_store_delegate + 768\n 7 com.apple.AppKit 0x00007fff900564fb backing_store_DrawRects + 1047\n 8 com.apple.CoreGraphics 0x00007fff91050be7 CGContextFillRects + 107\n 9 com.apple.CoreGraphics 0x00007fff91050b79 CGContextFillRect + 134\n 10 com.apple.CoreGraphics 0x00007fff91098001 CGContextDrawImages + 3688\n 11 com.apple.coreui 0x00007fff98fb858e _CUITileImageWithOperation + 365\n 12 com.apple.coreui 0x00007fff98fb4e78 DrawOnePartElementFromRenditionWithOperation + 993\n 13 com.apple.coreui 0x00007fff98fbdc5a -[CUIThemeFacet \n _drawSpecificRenditionKey:rendition:inFrame:context:alpha:operation:isFocused:isFlipped:] + 594\n 14 com.apple.coreui 0x00007fff98fbd91a -[CUIThemeFacet \n _drawSpecificRenditionKey:inFrame:context:isFocused:isFlipped:] + 163\n 15 com.apple.coreui 0x00007fff98fbbc32 -[CUIThemeFacet drawInFrame:isFocused:context:] + 137\n 16 com.apple.coreui 0x00007fff98fd8f68 CUICoreThemeRenderer::DrawWindowFrameStandardNew(CUIDescriptor \n const*) + 1558\n 17 com.apple.coreui 0x00007fff98f5a065 CUIRenderer::Draw(CGRect, CGContext*, __CFDictionary const*, \n __CFDictionary const**) + 2341\n 18 com.apple.coreui 0x00007fff98f5c992 CUIDraw + 175\n 19 com.apple.AppKit 0x00007fff8ffeed25 __44-[NSAppearance _drawInRect:context:options:]_block_invoke + 64\n 20 com.apple.AppKit 0x00007fff8fe55e91 -[NSCompositeAppearance _callCoreUIWithBlock:] + 183\n 21 com.apple.AppKit 0x00007fff8ffeecde -[NSAppearance _drawInRect:context:options:] + 127\n 22 com.apple.AppKit 0x00007fff900c0699 -[NSThemeFrame _maskCorners:clipRect:] + 259\n 23 com.apple.AppKit 0x00007fff90612b0d -[NSThemeFrame _drawTransparentTitlebarInRect:] + 173\n 24 com.apple.AppKit 0x00007fff900bd6b3 -[NSThemeFrame _drawUnifiedToolbar:] + 181\n 25 com.apple.AppKit 0x00007fff900bd480 -[NSThemeFrame _drawTitleBar:] + 104\n 26 com.apple.AppKit 0x00007fff900bd411 -[NSThemeFrame _drawFrameInterior:clip:] + 83\n 27 com.apple.AppKit 0x00007fff900bd3b1 -[NSThemeFrame drawFrame:] + 892\n 28 com.apple.AppKit 0x00007fff900bcf98 -[NSFrameView drawRect:] + 1098\n 29 com.apple.AppKit 0x00007fff900bcb33 -[NSThemeFrame drawRect:] + 280\n 30 com.apple.AppKit 0x00007fff8fffcc86 -[NSView _drawRect:clip:] + 3550\n 31 com.apple.AppKit 0x00007fff8fffacf5 -[NSView \n _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 3136\n 32 com.apple.AppKit 0x00007fff8fff9be0 -[NSThemeFrame \n _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 334\n 33 com.apple.AppKit 0x00007fff8fff7feb -[NSView _displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:] \n + 2449\n 34 com.apple.AppKit 0x00007fff8fff33f5 -[NSView displayIfNeeded] + 1950\n 35 com.apple.AppKit 0x00007fff8fff2c3c -[NSWindow displayIfNeeded] + 232\n 36 com.apple.AppKit 0x00007fff9067741b ___NSWindowGetDisplayCycleObserver_block_invoke6365 + 476\n 37 com.apple.AppKit 0x00007fff8fff25d6 __37+[NSDisplayCycle currentDisplayCycle]_block_invoke + 941\n 38 com.apple.QuartzCore 0x00007fff86da5f71 CA::Transaction::run_commit_handlers(CATransactionPhase) + 85\n 39 com.apple.QuartzCore 0x00007fff86da542c CA::Context::commit_transaction(CA::Transaction*) + 160\n 40 com.apple.QuartzCore 0x00007fff86da50ec CA::Transaction::commit() + 508\n 41 com.apple.QuartzCore 0x00007fff86db0977 CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned \n long, void*) + 71\n 42 com.apple.CoreFoundation 0x00007fff88e20067 \n __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23\n 43 com.apple.CoreFoundation 0x00007fff88e1ffd7 __CFRunLoopDoObservers + 391\n 44 com.apple.CoreFoundation 0x00007fff88dfeef8 CFRunLoopRunSpecific + 328\n 45 com.apple.HIToolbox 0x00007fff8f2b7935 RunCurrentEventLoopInMode + 235\n 46 com.apple.HIToolbox 0x00007fff8f2b7677 ReceiveNextEventCommon + 184\n 47 com.apple.HIToolbox 0x00007fff8f2b75af _BlockUntilNextEventMatchingListInModeWithFilter + 71\n 48 com.apple.AppKit 0x00007fff8fe9adf6 _DPSNextEvent + 1067\n 49 com.apple.AppKit 0x00007fff8fe9a226 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + \n 454\n 50 com.apple.AppKit 0x00007fff8fe8ed80 -[NSApplication run] + 682\n 51 com.apple.AppKit 0x00007fff8fe58368 NSApplicationMain + 1176\n 52 libdyld.dylib 0x00007fff86cf45ad start + 1\n \n log name is: ./crashlogs/1.crashlog.txt\n ---\n exception=EXC_CRASH:signal=11:is_exploitable= no:instruction_disassembly=.byte 0xc4 #bad \n opcode:instruction_address=0x00007fff9109bb34:access_type=:access_address=0x0000000000000000:\n \n\n### Exploit Proof-of-Concept\n\nRun included Python server and connect FreeRDP Client to it.\n\n### Timeline\n\n2017-05-24 - Vendor Disclosure \n2017-07-24 - Public Release\n\n##### Credit\n\nDiscovered by Tyler Bohan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2017-0342\n\nPrevious Report\n\nTALOS-2017-0340\n", "edition": 11, "modified": "2017-07-24T00:00:00", "published": "2017-07-24T00:00:00", "id": "TALOS-2017-0341", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0341", "title": "FreeRDP Rdp Client License Read Challenge Packet Denial of Service Vulnerability", "type": "talos", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T19:19:51", "bulletinFamily": "info", "cvelist": ["CVE-2017-2837"], "description": "# Talos Vulnerability Report\n\n### TALOS-2017-0339\n\n## FreeRDP Rdp Client GCC Read Server Security Data Denial of Service Vulnerability\n\n##### July 24, 2017\n\n##### CVE Number\n\nCVE-2017-2837 \n\n### Summary\n\nAn exploitable denial of service vulnerability exists within the handling of security data in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.\n\n### Tested Versions\n\nFreeRDP 2.0.0-beta1+android11 - Windows, OSX, Linux\n\n### Product URLs\n\n<http://www.freerdp.com/>\n\n### CVSSv3 Score\n\n6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\n\n### CWE\n\nCWE-190: Integer Overflow or Wraparound\n\n### Details\n\nFreeRDP is a remote desktop protocol implementation available for all of the major operating systems. Many of the commercial remote desktop protocol applications actually use this library as their core. The vulnerability arises in the gcc_read_server_security_data function.\n \n \n BOOL gcc_read_server_security_data(wStream* s, rdpMcs* mcs) {\n \n ...\n \n Stream_Read_UINT32(s, settings->ServerRandomLength); /* serverRandomLen */\n Stream_Read_UINT32(s, settings->ServerCertificateLength); /* serverCertLen */ [1]\n \n if (Stream_GetRemainingLength(s) < settings->ServerRandomLength + settings->ServerCertificateLength) [2]\n return FALSE;\n \n if ((settings->ServerRandomLength <= 0) || (settings->ServerCertificateLength <= 0))\n return FALSE;\n \n /* serverRandom */\n settings->ServerRandom = (BYTE*) malloc(settings->ServerRandomLength);\n \n if (!settings->ServerRandom)\n return FALSE;\n \n Stream_Read(s, settings->ServerRandom, settings->ServerRandomLength); [3]\n /* serverCertificate */\n settings->ServerCertificate = (BYTE*) malloc(settings->ServerCertificateLength);\n \n if (!settings->ServerCertificate)\n return FALSE;\n \n Stream_Read(s, settings->ServerCertificate, settings->ServerCertificateLength);\n certificate_free(settings->RdpServerCertificate);\n \n\nThe read_server_security_data function reads in two length values from the packet, [1]. It then does an obscure check to ensure that it is not going over the value of the remaining length. With both of these values being taken from the packet it is simple to overflow this check and continue on with a larger length than what is available. When the overly large length data is attempted to be read from the buffer an out-of-bounds read occurs and an exploitable denail of service condition arises.\n\n### Crash Information\n \n \n Crashed thread log = \n : Dispatch queue: com.apple.main-thread\n 0 libsystem_kernel.dylib 0x00007fff955c6f72 mach_msg_trap + 10\n 1 libsystem_kernel.dylib 0x00007fff955c63b3 mach_msg + 55\n 2 com.apple.CoreFoundation 0x00007fff88e001c4 __CFRunLoopServiceMachPort + 212\n 3 com.apple.CoreFoundation 0x00007fff88dff68c __CFRunLoopRun + 1356\n 4 com.apple.CoreFoundation 0x00007fff88dfeed8 CFRunLoopRunSpecific + 296\n 5 com.apple.HIToolbox 0x00007fff8f2b7935 RunCurrentEventLoopInMode + 235\n 6 com.apple.HIToolbox 0x00007fff8f2b776f ReceiveNextEventCommon + 432\n 7 com.apple.HIToolbox 0x00007fff8f2b75af _BlockUntilNextEventMatchingListInModeWithFilter + 71\n 8 com.apple.AppKit 0x00007fff8fe9adf6 _DPSNextEvent + 1067\n 9 com.apple.AppKit 0x00007fff8fe9a226 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + \n 454\n 10 com.apple.AppKit 0x00007fff8fe8ed80 -[NSApplication run] + 682\n 11 com.apple.AppKit 0x00007fff8fe58368 NSApplicationMain + 1176\n 12 libdyld.dylib 0x00007fff86cf45ad start + 1\n \n log name is: ./crashlogs/1.crashlog.txt\n ---\n exception=EXC_CRASH:signal=11:is_exploitable= \n no:instruction_disassembly=ret:instruction_address=0x00007fff955c6f72:access_type=:access_address=0x0000000000000000\n \n\n### Exploit Proof-of-Concept\n\nRun included Python server and connect FreeRDP Client to it.\n\n### Timeline\n\n2017-05-24 - Vendor Disclosure \n2017-07-24 - Public Release\n\n##### Credit\n\nDiscovered by Tyler Bohan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2017-0340\n\nPrevious Report\n\nTALOS-2017-0338\n", "edition": 10, "modified": "2017-07-24T00:00:00", "published": "2017-07-24T00:00:00", "id": "TALOS-2017-0339", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0339", "title": "FreeRDP Rdp Client GCC Read Server Security Data Denial of Service Vulnerability", "type": "talos", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-07-01T21:25:30", "bulletinFamily": "info", "cvelist": ["CVE-2017-2836"], "description": "# Talos Vulnerability Report\n\n### TALOS-2017-0338\n\n## FreeRDP Rdp Client Read Server Proprietary Certificate Denial of Service Vulnerability\n\n##### July 24, 2017\n\n##### CVE Number\n\nCVE-2017-2836 \n\n### Summary\n\nAn exploitable denial of service vulnerability exists within the reading of proprietary server certificates in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.\n\n### Tested Versions\n\nFreeRDP 2.0.0-beta1+android11 - Windows, OSX, Linux\n\n### Product URLs\n\n<http://www.freerdp.com/>\n\n### CVSSv3 Score\n\n6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\n\n### CWE\n\nCWE-190: Integer Overflow or Wraparound\n\n### Details\n\nFreeRDP is a remote desktop protocol implementation available for all of the major operating systems. Many of the commercial remote desktop protocol applications actually use this library as their core. The vulnerability arises in the parsing of proprietary certificates.\n \n \n static BOOL certificate_process_server_public_key(rdpCertificate* certificate, wStream* s, UINT32 length)\n {\n BYTE magic[4];\n UINT32 keylen;\n UINT32 bitlen;\n UINT32 datalen;\n UINT32 modlen;\n \n ... \n \n Stream_Read_UINT32(s, keylen);\n Stream_Read_UINT32(s, bitlen);\n Stream_Read_UINT32(s, datalen); \n modlen = keylen - 8; [1]\n \n if (Stream_GetRemainingLength(s) < modlen + 8) // count padding [2]\n return FALSE;\n \n certificate->cert_info.ModulusLength = modlen;\n certificate->cert_info.Modulus = malloc(certificate->cert_info.ModulusLength); [3]\n \n if (!certificate->cert_info.Modulus)\n return FALSE;\n \n Stream_Read(s, certificate->cert_info.Modulus, certificate->cert_info.ModulusLength); [4]\n \n\nIn processing a servers proprietary certificate, the function calls out to read the public key. It takes the key length directly from the packet and decrements eight from it, [1]. It then does a check on the length by adding the eight back and comparing it to the stream length. The vulnerability arises here when a value less than eight is passed in. It passes the check but wraps around and causes a large allocation to be made, [3]. The denial of service arises at, [4] when the stream is now read into the oversized buffer and an out-of-bounds read occurs.\n\n### Crash Information\n \n \n Crashed thread log = \n : Dispatch queue: com.apple.main-thread\n 0 com.apple.CoreGraphics 0x00007fff8e8fc4de argb32_image_mark_RGB32 + 423\n 1 com.apple.CoreGraphics 0x00007fff8e8fc29d argb32_image_mark_image + 1085\n 2 com.apple.CoreGraphics 0x00007fff8e8b3d92 argb32_image + 5050\n 3 libRIP.A.dylib 0x00007fff8d02d4f2 ripl_Mark + 23\n 4 libRIP.A.dylib 0x00007fff8d02d491 RIPLayerBltImage + 1185\n 5 libRIP.A.dylib 0x00007fff8d02ad0a ripc_DrawImage + 1151\n 6 com.apple.CoreGraphics 0x00007fff8e90d37f CGContextDelegateDrawImage + 48\n 7 com.apple.AppKit 0x00007fff8d89b1c8 __backing_store_DrawImage_block_invoke + 70\n 8 com.apple.AppKit 0x00007fff8d896a77 backing_store_delegate + 768\n 9 com.apple.AppKit 0x00007fff8d89b137 backing_store_DrawImage + 525\n 10 com.apple.CoreGraphics 0x00007fff8e8a1813 CGContextDrawImageWithOptions + 571\n 11 com.apple.CoreGraphics 0x00007fff8e8d7b23 CGContextDrawImages + 2442\n 12 com.apple.coreui 0x00007fff967f7cce DrawNinePartImageWithOperation + 5357\n 13 com.apple.coreui 0x00007fff967f67c2 DrawNinePartElementFromRenditionWithOperation + 471\n 14 com.apple.coreui 0x00007fff967fdcce -[CUIThemeFacet \n _drawSpecificRenditionKey:rendition:inFrame:context:alpha:operation:isFocused:isFlipped:] + 710\n 15 com.apple.coreui 0x00007fff967fd91a -[CUIThemeFacet \n _drawSpecificRenditionKey:inFrame:context:isFocused:isFlipped:] + 163\n 16 com.apple.coreui 0x00007fff967fbc32 -[CUIThemeFacet drawInFrame:isFocused:context:] + 137\n 17 com.apple.coreui 0x00007fff96819500 CUICoreThemeRenderer::DrawWindowFrameStandardNew(CUIDescriptor \n const*) + 2990\n 18 com.apple.coreui 0x00007fff9679a065 CUIRenderer::Draw(CGRect, CGContext*, __CFDictionary const*, \n __CFDictionary const**) + 2341\n 19 com.apple.coreui 0x00007fff9679c992 CUIDraw + 175\n 20 com.apple.AppKit 0x00007fff8d82ed25 __44-[NSAppearance _drawInRect:context:options:]_block_invoke + 64\n 21 com.apple.AppKit 0x00007fff8d695e91 -[NSCompositeAppearance _callCoreUIWithBlock:] + 183\n 22 com.apple.AppKit 0x00007fff8d82ecde -[NSAppearance _drawInRect:context:options:] + 127\n 23 com.apple.AppKit 0x00007fff8d900699 -[NSThemeFrame _maskCorners:clipRect:] + 259\n 24 com.apple.AppKit 0x00007fff8de52b0d -[NSThemeFrame _drawTransparentTitlebarInRect:] + 173\n 25 com.apple.AppKit 0x00007fff8d8fd6b3 -[NSThemeFrame _drawUnifiedToolbar:] + 181\n 26 com.apple.AppKit 0x00007fff8d8fd480 -[NSThemeFrame _drawTitleBar:] + 104\n 27 com.apple.AppKit 0x00007fff8d8fd411 -[NSThemeFrame _drawFrameInterior:clip:] + 83\n 28 com.apple.AppKit 0x00007fff8d8fd3b1 -[NSThemeFrame drawFrame:] + 892\n 29 com.apple.AppKit 0x00007fff8d8fcf98 -[NSFrameView drawRect:] + 1098\n 30 com.apple.AppKit 0x00007fff8d8fcb33 -[NSThemeFrame drawRect:] + 280\n 31 com.apple.AppKit 0x00007fff8d83cc86 -[NSView _drawRect:clip:] + 3550\n 32 com.apple.AppKit 0x00007fff8d83acf5 -[NSView \n _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 3136\n 33 com.apple.AppKit 0x00007fff8d839be0 -[NSThemeFrame \n _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 334\n 34 com.apple.AppKit 0x00007fff8d837feb -[NSView \n _displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:] + 2449\n 35 com.apple.AppKit 0x00007fff8d8333f5 -[NSView displayIfNeeded] + 1950\n 36 com.apple.AppKit 0x00007fff8d832c3c -[NSWindow displayIfNeeded] + 232\n 37 com.apple.AppKit 0x00007fff8deb741b ___NSWindowGetDisplayCycleObserver_block_invoke6365 + 476\n 38 com.apple.AppKit 0x00007fff8d8325d6 __37+[NSDisplayCycle currentDisplayCycle]_block_invoke + 941\n 39 com.apple.QuartzCore 0x00007fff845e5f71 CA::Transaction::run_commit_handlers(CATransactionPhase) + 85\n 40 com.apple.QuartzCore 0x00007fff845e542c CA::Context::commit_transaction(CA::Transaction*) + 160\n 41 com.apple.QuartzCore 0x00007fff845e50ec CA::Transaction::commit() + 508\n 42 com.apple.QuartzCore 0x00007fff845f0977 CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned \n long, void*) + 71\n 43 com.apple.CoreFoundation 0x00007fff86660067 \n __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23\n 44 com.apple.CoreFoundation 0x00007fff8665ffd7 __CFRunLoopDoObservers + 391\n 45 com.apple.CoreFoundation 0x00007fff8663eef8 CFRunLoopRunSpecific + 328\n 46 com.apple.HIToolbox 0x00007fff8caf7935 RunCurrentEventLoopInMode + 235\n 47 com.apple.HIToolbox 0x00007fff8caf7677 ReceiveNextEventCommon + 184\n 48 com.apple.HIToolbox 0x00007fff8caf75af _BlockUntilNextEventMatchingListInModeWithFilter + 71\n 49 com.apple.AppKit 0x00007fff8d6dadf6 _DPSNextEvent + 1067\n 50 com.apple.AppKit 0x00007fff8d6da226 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454\n 51 com.apple.AppKit 0x00007fff8d6ced80 -[NSApplication run] + 682\n 52 com.apple.AppKit 0x00007fff8d698368 NSApplicationMain + 1176\n 53 libdyld.dylib 0x00007fff845345ad start + 1\n \n log name is: ./crashlogs/1.crashlog.txt\n ---\n exception=EXC_CRASH:signal=11:is_exploitable= no:instruction_disassembly=cmpq $CONSTANT,%rax:instruction_address=0x00007fff8e8fc4de:access_type=:access_address=0x0000000000000000:\n \n\n### Exploit Proof-of-Concept\n\nRun included Python server and connect FreeRDP Client to it.\n\n### Timeline\n\n2017-05-24 - Vendor Disclosure \n2017-07-24 - Public Release\n\n##### Credit\n\nDiscovered by Tyler Bohan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2017-0339\n\nPrevious Report\n\nTALOS-2017-0337\n", "edition": 10, "modified": "2017-07-24T00:00:00", "published": "2017-07-24T00:00:00", "id": "TALOS-2017-0338", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0338", "title": "FreeRDP Rdp Client Read Server Proprietary Certificate Denial of Service Vulnerability", "type": "talos", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T19:20:12", "bulletinFamily": "info", "cvelist": ["CVE-2017-2834"], "description": "# Talos Vulnerability Report\n\n### TALOS-2017-0336\n\n## FreeRDP Rdp Client License Recv Code Execution Vulnerability\n\n##### July 24, 2017\n\n##### CVE Number\n\nCVE-2017-2834 \n\n### Summary\n\nAn exploitable code execution vulnerability exists in the authentication functionality of FreeRDP 2.0.0-beta1+android11. A specially crafted server response can cause an out-of-bounds write resulting in an exploitable condition. An attacker can compromise the server or use a man in the middle attack to trigger this vulnerability.\n\n### Tested Versions\n\nFreeRDP 2.0.0-beta1+android11 - Windows, OSX, Linux\n\n### Product URLs\n\n<http://www.freerdp.com/>\n\n### CVSSv3 Score\n\n8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H\n\n### CWE\n\nCWE-129: Improper Validation of Array Index\n\n### Details\n\nFreeRDP is a remote desktop protocol implementation available for all of the major operating systems. Many of the commercial remote desktop protocol applications actually use this library as their core. The vulnerability arises in using untrusted data in handling the license authentication with the server.\n \n \n int license_recv(rdpLicense* license, wStream* s)\n {\n BYTE bMsgType;\n UINT16 length;\n UINT16 channelId;\n \n if (!rdp_read_header(license->rdp, s, &length, &channelId)) [1]\n {\n WLog_ERR(TAG, \"Incorrect RDP header.\");\n return -1;\n }\n ...\n if (securityFlags & SEC_ENCRYPT)\n {\n if (!rdp_decrypt(license->rdp, s, length - 4, securityFlags)) [2]\n \n\nAt [1], the RDP header is read in and a local variable, length, is assigned a value directly from the attacker controlled packet. The value of length is then subtracted from four, [2], and passed into a decryption function. If the attacker supplies a value less than four a negative value will be passed into decrypt. The attacker controlled length value goes through multiple functions and ends up passed in directly to the OpenSSL RC4 function call. This causes the program to write attacker influence data out of bounds causing a potentially exploitable condition to arise. A hexdump of the attacker controlled packet is below with the bytes pertaining to the length marked.\n \n \n 00000000 03 00 01 51 02 f0 80 68 00 01 03 eb 70 [03] 08 00 |...Q...h....p...| <-------\n 00000010 00 3e 01 01 02 3e 01 7b 3c 31 a6 ae e8 74 f6 b4 |.>...>.{<1...t..|\n 00000020 a5 03 90 e7 c2 c7 39 ba 53 1c 30 54 6e 90 05 d0 |......9.S.0Tn...|\n 00000030 05 ce 44 18 91 83 81 00 00 04 00 2c 00 00 00 4d |..D........,...M|\n 00000040 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 |.i.c.r.o.s.o.f.t|\n 00000050 00 20 00 43 00 6f 00 72 00 70 00 6f 00 72 00 61 |. .C.o.r.p.o.r.a|\n 00000060 00 74 00 69 00 6f 00 6e 00 00 00 08 00 00 00 32 |.t.i.o.n.......2|\n 00000070 00 33 00 36 00 00 00 0d 00 04 00 01 00 00 00 03 |.3.6............|\n 00000080 00 b8 00 01 00 00 00 01 00 00 00 01 00 00 00 06 |................|\n 00000090 00 5c 00 52 53 41 31 48 00 00 00 00 02 00 00 3f |.\\.RSA1H.......?|\n 000000a0 00 00 00 01 00 01 00 01 c7 c9 f7 8e 5a 38 e4 29 |............Z8.)|\n 000000b0 c3 00 95 2d dd 4c 3e 50 45 0b 0d 9e 2a 5d 18 63 |...-.L>PE...*].c|\n 000000c0 64 c4 2c f7 8f 29 d5 3f c5 35 22 34 ff ad 3a e6 |d.,..).?.5\"4..:.|\n 000000d0 e3 95 06 ae 55 82 e3 c8 c7 b4 a8 47 c8 50 71 74 |....U......G.Pqt|\n 000000e0 29 53 89 6d 9c ed 70 00 00 00 00 00 00 00 00 08 |)S.m..p.........|\n 000000f0 00 48 00 a8 f4 31 b9 ab 4b e6 b4 f4 39 89 d6 b1 |.H...1..K...9...|\n 00000100 da f6 1e ec b1 f0 54 3b 5e 3e 6a 71 b4 f7 75 c8 |......T;^>jq..u.| \n \n\n### Crash Information\n \n \n % ./exc_handler FreeRDP-master/client/Mac/cli/MacFreeRDP.app/Contents/MacOS/MacFreeRDP /v:127.0.0.1:3377\n \n 2017-05-09 15:41:35.334 MacFreeRDP[17761:133607] void * _Nullable NSMapGet(NSMapTable * _Nonnull, const void * \n _Nullable): map table argument is NULL\n [15:41:35:626] [17761:00429000] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Broken pipe\n MacFreeRDP(17761,0x7fff76107000) malloc: *** error for object 0x7ff62300ac08: incorrect checksum for freed object - object \n was probably modified after being freed.\n *** set a breakpoint in malloc_error_break to debug\n \n Crashed thread log = \n : Dispatch queue: com.apple.main-thread\n 0 libsystem_kernel.dylib 0x00007fff91f718ea __kill + 10\n 1 libfreerdp2.2.dylib 0x000000010eac3e75 fatal_handler + 229\n 2 libsystem_platform.dylib 0x00007fff88e0b52a _sigtramp + 26\n 3 ??? 0x00007ff621801000 0 + 140695100723200\n 4 libsystem_c.dylib 0x00007fff933af6df abort + 129\n 5 libsystem_malloc.dylib 0x00007fff915db396 szone_error + 626\n 6 libsystem_malloc.dylib 0x00007fff915d1373 small_free_list_remove_ptr + 152\n 7 libsystem_malloc.dylib 0x00007fff915cfa7c szone_free_definite_size + 1790\n 8 com.apple.CoreGraphics 0x00007fff8d9ed3e0 region_finalize + 44\n 9 com.apple.CoreFoundation 0x00007fff85729af3 CFRelease + 371\n 10 com.apple.CoreGraphics 0x00007fff8d9ed3af CGSReleaseRegion + 9\n 11 com.apple.AppKit 0x00007fff8c92ea01 -[NSRegion dealloc] + 33\n 12 com.apple.AppKit 0x00007fff8c99c4e1 -[_NSDisplayOperation dealloc] + 121\n 13 com.apple.CoreFoundation 0x00007fff857a8b72 -[__NSArrayM removeObjectAtIndex:] + 290\n 14 com.apple.AppKit 0x00007fff8c99c3a8 -[_NSDisplayOperationStack exitDisplayOperationForWindow:] + 449\n 15 com.apple.AppKit 0x00007fff8c99d792 -[NSView \n _displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:] + 4408\n 16 com.apple.AppKit 0x00007fff8c9983f5 -[NSView displayIfNeeded] + 1950\n 17 com.apple.AppKit 0x00007fff8c997c3c -[NSWindow displayIfNeeded] + 232\n 18 com.apple.AppKit 0x00007fff8d01c41b ___NSWindowGetDisplayCycleObserver_block_invoke6365 + 476\n 19 com.apple.AppKit 0x00007fff8c9975d6 __37+[NSDisplayCycle currentDisplayCycle]_block_invoke + 941\n 20 com.apple.QuartzCore 0x00007fff8374af71 CA::Transaction::run_commit_handlers(CATransactionPhase) + 85\n 21 com.apple.QuartzCore 0x00007fff8374a42c CA::Context::commit_transaction(CA::Transaction*) + 160\n 22 com.apple.QuartzCore 0x00007fff8374a0ec CA::Transaction::commit() + 508\n 23 com.apple.QuartzCore 0x00007fff83755977 CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned \n long, void*) + 71\n 24 com.apple.CoreFoundation 0x00007fff857c5067 \n __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23\n 25 com.apple.CoreFoundation 0x00007fff857c4fd7 __CFRunLoopDoObservers + 391\n 26 com.apple.CoreFoundation 0x00007fff857a3ef8 CFRunLoopRunSpecific + 328\n 27 com.apple.HIToolbox 0x00007fff8bc5c935 RunCurrentEventLoopInMode + 235\n 28 com.apple.HIToolbox 0x00007fff8bc5c677 ReceiveNextEventCommon + 184\n 29 com.apple.HIToolbox 0x00007fff8bc5c5af _BlockUntilNextEventMatchingListInModeWithFilter + 71\n 30 com.apple.AppKit 0x00007fff8c83fdf6 _DPSNextEvent + 1067\n 31 com.apple.AppKit 0x00007fff8c83f226 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + \n 454\n 32 com.apple.AppKit 0x00007fff8c833d80 -[NSApplication run] + 682\n 33 com.apple.AppKit 0x00007fff8c7fd368 NSApplicationMain + 1176\n 34 libdyld.dylib 0x00007fff836995ad start + 1\n \n log name is: ./crashlogs/crashlog.txt\n ---\n exception=EXC_CRASH:signal=6:is_exploitable=yes:instruction_disassembly=jae \n CONSTANT:instruction_address=0x00007fff91f718ea:access_type=:access_address=0x0000000000000000:\n The crash is suspected to be an exploitable issue due to the suspicious function in the stack trace of the crashing thread: ' \n szone_error '\n \n\n### Exploit Proof-of-Concept\n\nRun included Python server and connect FreeRDP Client to it.\n\n### Timeline\n\n2017-05-24 - Vendor Disclosure \n2017-07-24 - Public Release\n\n##### Credit\n\nDiscovered by Tyler Bohan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2017-0337\n\nPrevious Report\n\nTALOS-2016-0244\n", "edition": 9, "modified": "2017-07-24T00:00:00", "published": "2017-07-24T00:00:00", "id": "TALOS-2017-0336", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0336", "title": "FreeRDP Rdp Client License Recv Code Execution Vulnerability", "type": "talos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}
