http://advisories.mageia.org/MGASA-2014-0287.html

openSUSE-SU-2014:0862

[oss-security] 20140528 freerdp: integer overflows in memory allocations in client/X11/xf_graphics.c

GLSA-201412-18

MDVSA-2015:171

67670

https://bugzilla.redhat.com/show_bug.cgi?id=998934

https://github.com/FreeRDP/FreeRDP/issues/1871

https://github.com/FreeRDP/FreeRDP/pull/1874

According to the versions of the freerdp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - An exploitable code execution vulnerability exists in     the RDP receive functionality of FreeRDP     2.0.0-beta1+android11. A specially crafted server     response can cause an out-of-bounds write resulting in     an exploitable condition. An attacker can compromise     the server or use a man in the middle to trigger this     vulnerability.(CVE-2017-2835)

  - An exploitable denial of service vulnerability exists     within the handling of challenge packets in FreeRDP     2.0.0-beta1+android11. A specially crafted challenge     packet can cause the program termination leading to a     denial of service condition. An attacker can compromise     the server or use man in the middle to trigger this     vulnerability.(CVE-2017-2838)

  - An exploitable denial of service vulnerability exists     within the handling of challenge packets in FreeRDP     2.0.0-beta1+android11. A specially crafted challenge     packet can cause the program termination leading to a     denial of service condition. An attacker can compromise     the server or use man in the middle to trigger this     vulnerability.(CVE-2017-2839)

  - An exploitable denial of service vulnerability exists     within the handling of security data in FreeRDP     2.0.0-beta1+android11. A specially crafted challenge     packet can cause the program termination leading to a     denial of service condition. An attacker can compromise     the server or use man in the middle to trigger this     vulnerability.(CVE-2017-2837)

  - An exploitable denial of service vulnerability exists     within the reading of proprietary server certificates     in FreeRDP 2.0.0-beta1+android11. A specially crafted     challenge packet can cause the program termination     leading to a denial of service condition. An attacker     can compromise the server or use man in the middle to     trigger this vulnerability.(CVE-2017-2836)

  - FreeRDP FreeRDP 2.0.0-rc3 released version before     commit 205c612820dac644d665b5bb1cdf437dc5ca01e3     contains a Other/Unknown vulnerability in     channels/drdynvc/client/drdynvc_main.c,     drdynvc_process_capability_request that can result in     The RDP server can read the client's memory.. This     attack appear to be exploitable via RDPClient must     connect the rdp server with echo option. This     vulnerability appears to have been fixed in after     commit     205c612820dac644d665b5bb1cdf437dc5ca01e3.(CVE-2018-1000     852)

  - Integer overflow in the license_read_scope_list     function in libfreerdp/core/license.c in FreeRDP     through 1.0.2 allows remote RDP servers to cause a     denial of service (application crash) or possibly have     unspecified other impact via a large ScopeCount value     in a Scope List in a Server License Request     packet.(CVE-2014-0791)

  - Multiple integer overflows in client/X11/xf_graphics.c     in FreeRDP allow remote attackers to have an     unspecified impact via the width and height to the (1)     xf_Pointer_New or (2) xf_Bitmap_Decompress function,     which causes an incorrect amount of memory to be     allocated.(CVE-2014-0250)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the freerdp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - FreeRDP before 1.1.0-beta+2013071101 allows remote     attackers to cause a denial of service (NULL pointer     dereference and application crash) by disconnecting     before authentication has finished.(CVE-2013-4119)

  - FreeRDP FreeRDP 2.0.0-rc3 released version before     commit 205c612820dac644d665b5bb1cdf437dc5ca01e3     contains a Other/Unknown vulnerability in     channels/drdynvc/client/drdynvc_main.c,     drdynvc_process_capability_request that can result in     The RDP server can read the client's memory.. This     attack appear to be exploitable via RDPClient must     connect the rdp server with echo option. This     vulnerability appears to have been fixed in after     commit     205c612820dac644d665b5bb1cdf437dc5ca01e3.(CVE-2018-1000     852)

  - FreeRDP before 1.1.0-beta1 allows remote attackers to     cause a denial of service (NULL pointer dereference and     application crash) via unspecified     vectors.(CVE-2013-4118)

  - Multiple integer overflows in client/X11/xf_graphics.c     in FreeRDP allow remote attackers to have an     unspecified impact via the width and height to the (1)     xf_Pointer_New or (2) xf_Bitmap_Decompress function,     which causes an incorrect amount of memory to be     allocated.(CVE-2014-0250)

  - Integer overflow in the license_read_scope_list     function in libfreerdp/core/license.c in FreeRDP     through 1.0.2 allows remote RDP servers to cause a     denial of service (application crash) or possibly have     unspecified other impact via a large ScopeCount value     in a Scope List in a Server License Request     packet.(CVE-2014-0791)

  - An exploitable code execution vulnerability exists in     the RDP receive functionality of FreeRDP     2.0.0-beta1+android11. A specially crafted server     response can cause an out-of-bounds write resulting in     an exploitable condition. An attacker can compromise     the server or use a man in the middle to trigger this     vulnerability.(CVE-2017-2835)

  - An exploitable denial of service vulnerability exists     within the reading of proprietary server certificates     in FreeRDP 2.0.0-beta1+android11. A specially crafted     challenge packet can cause the program termination     leading to a denial of service condition. An attacker     can compromise the server or use man in the middle to     trigger this vulnerability.(CVE-2017-2836)

  - An exploitable denial of service vulnerability exists     within the handling of security data in FreeRDP     2.0.0-beta1+android11. A specially crafted challenge     packet can cause the program termination leading to a     denial of service condition. An attacker can compromise     the server or use man in the middle to trigger this     vulnerability.(CVE-2017-2837)

  - An exploitable denial of service vulnerability exists     within the handling of challenge packets in FreeRDP     2.0.0-beta1+android11. A specially crafted challenge     packet can cause the program termination leading to a     denial of service condition. An attacker can compromise     the server or use man in the middle to trigger this     vulnerability.(CVE-2017-2838)

  - An exploitable denial of service vulnerability exists     within the handling of challenge packets in FreeRDP     2.0.0-beta1+android11. A specially crafted challenge     packet can cause the program termination leading to a     denial of service condition. An attacker can compromise     the server or use man in the middle to trigger this     vulnerability.(CVE-2017-2839)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the freerdp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Multiple integer overflows in client/X11/xf_graphics.c     in FreeRDP allow remote attackers to have an     unspecified impact via the width and height to the (1)     xf_Pointer_New or (2) xf_Bitmap_Decompress function,     which causes an incorrect amount of memory to be     allocated.(CVE-2014-0250)

  - Integer overflow in the license_read_scope_list     function in libfreerdp/core/license.c in FreeRDP     through 1.0.2 allows remote RDP servers to cause a     denial of service (application crash) or possibly have     unspecified other impact via a large ScopeCount value     in a Scope List in a Server License Request     packet.(CVE-2014-0791)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that FreeRDP incorrectly handled certain width and height values. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS.
(CVE-2014-0250)

It was discovered that FreeRDP incorrectly handled certain values in a Scope List. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-0791)

Tyler Bohan discovered that FreeRDP incorrectly handled certain length values. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2017-2834, CVE-2017-2835)

Tyler Bohan discovered that FreeRDP incorrectly handled certain packets. A malicious server could possibly use this issue to cause FreeRDP to crash, resulting in a denial of service. (CVE-2017-2836, CVE-2017-2837, CVE-2017-2838, CVE-2017-2839).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for freerdp fixes the following issues :

  - CVE-2013-4118: Added a NULL pointer check to fix a     server crash (bsc#829013).

  - CVE-2014-0791: Integer overflow in the     license_read_scope_list function in     libfreerdp/core/license.c in FreeRDP allowed remote RDP     servers to cause a denial of service (application crash)     or possibly have unspecified other impact via a large     ScopeCount value in a Scope List in a Server License     Request packet. (bsc#857491)

  - CVE-2014-0250: Multiple integer overflows in     client/X11/xf_graphics.c in FreeRDP allowed remote     attackers to have an unspecified impact via the width     and height to the (1) xf_Pointer_New or (2)     xf_Bitmap_Decompress function, which causes an incorrect     amount of memory to be allocated. (bsc#880317)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated freerdp packages fix security vulnerabilities :

Integer overflows in memory allocations in client/X11/xf_graphics.c in FreeRDP through 1.0.2 allows remote RDP servers to have an unspecified impact through unspecified vectors (CVE-2014-0250).

Integer overflow in the license_read_scope_list function in libfreerdp/core/license.c in FreeRDP through 1.0.2 allows remote RDP servers to cause a denial of service (application crash) or possibly have unspecified other impact via a large ScopeCount value in a Scope List in a Server License Request packet (CVE-2014-0791).

The remote host is affected by the vulnerability described in GLSA-201412-18 (FreeRDP: User-assisted execution of arbitrary code)

    FreeRDP does not properly validate user-supplied input, which could lead       to an integer overflow in the xf_Pointer_New() function.
  Impact :

    A remote attacker could execute arbitrary code with the privileges of       the process or cause Denial of Service.
  Workaround :

    There is no known workaround at this time.

freerdp was patched to fix several integer overflows.

These security issues were fixed :

  - Integer overflow (CVE-2014-0791)

  - Integer overflows in memory allocations in     client/X11/xf_graphics.c (CVE-2014-0250)

ID	Name	Product	Family	Severity
132297	EulerOS 2.0 SP3 : freerdp (EulerOS-SA-2019-2580)	Nessus	Huawei Local Security Checks	high
131609	EulerOS 2.0 SP2 : freerdp (EulerOS-SA-2019-2455)	Nessus	Huawei Local Security Checks	high
130856	EulerOS 2.0 SP5 : freerdp (EulerOS-SA-2019-2147)	Nessus	Huawei Local Security Checks	high
102260	Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : freerdp vulnerabilities (USN-3380-1)	Nessus	Ubuntu Local Security Checks	high
94037	SUSE SLED12 Security Update : freerdp (SUSE-SU-2016:2506-1)	Nessus	SuSE Local Security Checks	high
82447	Mandriva Linux Security Advisory : freerdp (MDVSA-2015:171)	Nessus	Mandriva Local Security Checks	high
79971	GLSA-201412-18 : FreeRDP: User-assisted execution of arbitrary code	Nessus	Gentoo Local Security Checks	high
76343	openSUSE Security Update : freerdp (openSUSE-SU-2014:0862-1)	Nessus	SuSE Local Security Checks	high

CVE-2014-0250

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins