Lucene search

K
ubuntucveUbuntu.comUB:CVE-2022-41877
HistoryNov 16, 2022 - 12:00 a.m.

CVE-2022-41877

2022-11-1600:00:00
ubuntu.com
ubuntu.com
13
freerdp
input validation
drive channel
upgrade
version 2.9.0
security issue
malicious server

CVSS3

4.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L

EPSS

0.002

Percentile

52.7%

FreeRDP is a free remote desktop protocol library and clients. Affected
versions of FreeRDP are missing input length validation in drive channel.
A malicious server can trick a FreeRDP based client to read out of bound
data and send it back to the server. This issue has been addressed in
version 2.9.0 and all users are advised to upgrade. Users unable to upgrade
should not use the drive redirection channel - command line options
/drive, +drives or +home-drive.

Notes

Author Note
mdeslaur malicious server could cause client to crash
OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchfreerdp2< 2.2.0+dfsg1-0ubuntu0.18.04.4+esm2UNKNOWN
ubuntu20.04noarchfreerdp2< 2.2.0+dfsg1-0ubuntu0.20.04.6UNKNOWN
ubuntu22.04noarchfreerdp2< 2.6.1+dfsg1-3ubuntu2.5UNKNOWN

CVSS3

4.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L

EPSS

0.002

Percentile

52.7%