=====================================================================

                              CERT-Renater

                  Note d'Information No. 2021/VULN601
_____________________________________________________________________

DATE                : 12/11/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running FreeRDP versions prior to 2.4.1.

=====================================================================
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vh34-m9h7-95xq
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7c9r-6r2q-93qg
_____________________________________________________________________


Improper client input validation for gateway connections allows to
overwrite memory


moderate
akallabeth published GHSA-vh34-m9h7-95xq Oct 21, 2021


Package
No package listed

Affected versions
<= 2.4.0

Patched versions
2.4.1


Description


Impact

All FreeRDP clients using gateway connections (/gt:rpc)
Input data is not properly checked, a malicious gateway might allow
client memory to be written out of bounds.


Patches

2.4.1


Workarounds

    Use /gt:http connection if possible
    Use a direct connection without gateway



Reported by Sunglin from the Knownsec 404 team & 0103 sec team


For more information

If you have any questions or comments about this advisory:

    Open an issue in https://github.com/FreeRDP/FreeRDP
    Email us at security@freerdp.com
    See https://www.freerdp.com/ for contact details
    Email us at example email address


CVE ID
CVE-2021-41159

_____________________________________________________________________


Improper region checks in all clients allow out of bound write to memory


moderate
akallabeth published GHSA-7c9r-6r2q-93qg Oct 21, 2021

Package
No package listed

Affected versions
<= 2.4.0

Patched versions
2.4.1


Description

Impact

A malicious server might trigger out of bound writes in a connected
client.

Connections using GDI or SurfaceCommands to send graphics updates to the
client might send 0 width/height or out of bound rectangles to trigger
out of bound writes.

With 0 width or heigth the memory allocation will be 0 but the missing
bounds checks allow writing to the pointer at this (not allocated)
region.


Patches

FreeRDP 2.4.1

Reported by Sunglin from the Knownsec 404 team & 0103 sec team


For more information

If you have any questions or comments about this advisory:

    Open an issue in https://github.com/FreeRDP/FreeRDP
    Email us at security@freerdp.com
    See https://www.freerdp.com/ for contact details


CVE ID
CVE-2021-41160


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================