===================================================================== CERT-Renater Note d'Information No. 2022/VULN422 _____________________________________________________________________ DATE : 17/11/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running FreeRDP versions prior to 2.9.0. ===================================================================== https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qfq2-82qr-7f4j https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mvxm-wfj2-5fvh https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c5xq-8v35-pffg https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-pmv3-wpw4-pw5h https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-387j-8j96-7q35 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-99cm-4gw7-c8jh https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5w4j-mrrh-jjrm _____________________________________________________________________ Heap buffer overflow in urbdrc channel Moderate bmiklautz published GHSA-qfq2-82qr-7f4j Package FreeRDP (C) Affected versions <= 2.8.1 Patched versions 2.9.0 Description Impact Integer addition on too narrow types leads to allocation of a buffer too small holding the data written. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server Patches 2.9.0 Workarounds Do not use the /usb redirection switch Issue Reporter Reported by 'Team BT5 (BoB 11th)' For more information If you have any questions or comments about this advisory: Open an issue in https://github.com/FreeRDP/FreeRDP See https://www.freerdp.com/ for contact details Email us at security@freerdp.com Severity Moderate CVE ID CVE-2022-39320 Weaknesses No CWEs Credits @Team-BT5 Team-BT5 _____________________________________________________________________ Missing length validation in urbdrc channel Moderate bmiklautz published GHSA-mvxm-wfj2-5fvh Package FreeRDP (C) Affected versions <= 2.8.1 Patched versions 2.9.0 Description Impact Missing input length validation in urbdrc channel A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server Patches 2.9.0 Workarounds Do not use the /usb redirection switch Issue Reporter Reported by 'Team BT5 (BoB 11th)' For more information If you have any questions or comments about this advisory: Open an issue in https://github.com/FreeRDP/FreeRDP See https://www.freerdp.com/ for contact details Email us at security@freerdp.com Severity Moderate CVE ID CVE-2022-39319 Weaknesses No CWEs Credits @Team-BT5 Team-BT5 _____________________________________________________________________ Missing path sanitation with `drive` channel Low bmiklautz published GHSA-c5xq-8v35-pffg Package FreeRDP (C) Affected versions <= 2.8.1 Patched versions 2.9.0 Description Impact Missing path canonicalization and base path check for drive channel A malicious server can trick a FreeRDP based client to read files outside the shared directory Patches 2.9.0 Workarounds Do not use the /drive, /drives or +home-drive redirection switch Issue Reporter Reported by 'Team BT5 (BoB 11th)' For more information If you have any questions or comments about this advisory: Open an issue in https://github.com/FreeRDP/FreeRDP See https://www.freerdp.com/ for contact details Email us at security@freerdp.com Severity Low CVE ID CVE-2022-39347 Weaknesses No CWEs Credits @Team-BT5 Team-BT5 _____________________________________________________________________ Missing input length validation in `drive` channel Low bmiklautz published GHSA-pmv3-wpw4-pw5h Package FreeRDP (C) Affected versions <= 2.8.1 Patched versions 2.9.0 Description Impact Missing input length validation in drive channel A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server Patches 2.9.0 Workarounds Do not use the drive redirection channel - command line options /drive, +drives or +home-drive Issue Reporter Reported by 'Team BT5 (BoB 11th)' For more information If you have any questions or comments about this advisory: Open an issue in https://github.com/FreeRDP/FreeRDP See https://www.freerdp.com/ for contact details Email us at security@freerdp.com Severity Low CVE ID CVE-2022-41877 Weaknesses No CWEs Credits @Team-BT5 Team-BT5 _____________________________________________________________________ Division by zero in urbdrc channel Low bmiklautz published GHSA-387j-8j96-7q35 yesterday Package FreeRDP (C) Affected versions <= 2.8.1 Patched versions 2.9.0 Description Impact Missing input validation in urbdrc channel A malicious server can trick a FreeRDP based client to crash with division by zero Patches 2.9.0 Workarounds Do not use the /usb redirection switch Issue Reporter Reported by 'Team BT5 (BoB 11th)' For more information If you have any questions or comments about this advisory: Open an issue in https://github.com/FreeRDP/FreeRDP See https://www.freerdp.com/ for contact details Email us at security@freerdp.com Severity Low CVE ID CVE-2022-39318 Weaknesses No CWEs Credits @Team-BT5 Team-BT5 _____________________________________________________________________ Division by zero in urbdrc channel Low bmiklautz published GHSA-387j-8j96-7q35 Package FreeRDP (C) Affected versions <= 2.8.1 Patched versions 2.9.0 Description Impact Missing input validation in urbdrc channel A malicious server can trick a FreeRDP based client to crash with division by zero Patches 2.9.0 Workarounds Do not use the /usb redirection switch Issue Reporter Reported by 'Team BT5 (BoB 11th)' For more information If you have any questions or comments about this advisory: Open an issue in https://github.com/FreeRDP/FreeRDP See https://www.freerdp.com/ for contact details Email us at security@freerdp.com Severity Low CVE ID CVE-2022-39318 Weaknesses No CWEs Credits @Team-BT5 Team-BT5 _____________________________________________________________________ Undefined behaviour in zgfx decoder Low bmiklautz published GHSA-99cm-4gw7-c8jh Package FreeRDP (C) Affected versions <= 2.8.1 Patched versions 2.9.0 Description Impact Missing range check for input offset index in ZGFX decoder A malicious server can trick a FreeRDP based client to read out of bound data and try to decode it. Patches 2.9.0 Workarounds Is there a way for users to fix or remediate the vulnerability without upgrading? Issue Reporter Reported by 'Team BT5 (BoB 11th)' For more information If you have any questions or comments about this advisory: Open an issue in https://github.com/FreeRDP/FreeRDP See https://www.freerdp.com/ for contact details Email us at security@freerdp.com Severity Low CVE ID CVE-2022-39317 Weaknesses No CWEs Credits @Team-BT5 Team-BT5 _____________________________________________________________________ Out of bound read in zgfx decoder Low bmiklautz published GHSA-5w4j-mrrh-jjrm Package FreeRDP (C) Affected versions <= 2.8.1 Patched versions 2.9.0 Description Impact Out of bound read in ZGFX decoder A malicious server can trick a FreeRDP based client to read out of bound data and try to decode it. Patches 2.9.0 Workarounds Is there a way for users to fix or remediate the vulnerability without upgrading? Issue Reporter Reported by 'Team BT5 (BoB 11th)' For more information If you have any questions or comments about this advisory: Open an issue in https://github.com/FreeRDP/FreeRDP See https://www.freerdp.com/ for contact details Email us at security@freerdp.com Severity Low CVE ID CVE-2022-39316 Weaknesses No CWEs Credits @Team-BT5 Team-BT5 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================