Multiple vulnerabilities in FreeRDP



Published: 2020-06-29
Risk High
Patch available YES
Number of vulnerabilities 9
CVE ID CVE-2020-4030
CVE-2020-11099
CVE-2020-11098
CVE-2020-11097
CVE-2020-11096
CVE-2020-11095
CVE-2020-4033
CVE-2020-4032
CVE-2020-4031
CWE ID CWE-125
CWE-681
CWE-416
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
FreeRDP
Universal components / Libraries / Libraries used by multiple products

Vendor FreeRDP

Security Advisory

1) Out-of-bounds read

Risk: Medium

CVSSv3: 6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-4030

CWE-ID: CWE-125 - Out-of-bounds Read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in TrioParse. A remote attacker can trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

FreeRDP: 1.0, 1.0-beta1, 1.0-beta2, 1.0-beta3, 1.0-beta4, 1.0-beta5, 1.0.0, 1.0.1, 1.0.2, 1.0.2-rc1, 1.0.2-rc2, 1.1.0, 1.1.0+android2, 1.1.0+android3, 1.1.0+android4, 1.1.0+android5, 1.1.0+ios1, 1.1.0+ios2, 1.1.0+ios3, 1.1.0+ios4, 1.1.0-beta+2013071101, 1.1.0-beta1, 1.1.0-beta1+android2, 1.1.0-beta1+android3, 1.1.0-beta1+android4, 1.1.0-beta1+android5, 1.1.0-beta1+ios1, 1.1.0-beta1+ios2, 1.1.0-beta1+ios3, 1.1.0-beta1+ios4, 1.2.0, 1.2.0+android7, 1.2.0+android9, 1.2.0-beta1+android7, 1.2.0-beta1+android9, 2.0.0, 2.0.0+android10, 2.0.0+android11, 2.0.0-beta1+android10, 2.0.0-beta1+android11, 2.0.0-rc0, 2.0.0-rc1, 2.0.0-rc2, 2.0.0-rc3, 2.0.0-rc4, 2.1.0, 2.1.1

CPE External links

http://www.freerdp.com/2020/06/22/2_1_2-released
https://github.com/FreeRDP/FreeRDP/commit/05cd9ea2290d23931f615c1b004d4b2e69074e27
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-fjr5-97f5-qq98

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Out-of-bounds read

Risk: Medium

CVSSv3: 6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-11099

CWE-ID: CWE-125 - Out-of-bounds Read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in "license_read_new_or_upgrade_license_packet". A remote attacker can send a specially crafted license packet, trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

FreeRDP: 1.0, 1.0-beta1, 1.0-beta2, 1.0-beta3, 1.0-beta4, 1.0-beta5, 1.0.0, 1.0.1, 1.0.2, 1.0.2-rc1, 1.0.2-rc2, 1.1.0, 1.1.0+android2, 1.1.0+android3, 1.1.0+android4, 1.1.0+android5, 1.1.0+ios1, 1.1.0+ios2, 1.1.0+ios3, 1.1.0+ios4, 1.1.0-beta+2013071101, 1.1.0-beta1, 1.1.0-beta1+android2, 1.1.0-beta1+android3, 1.1.0-beta1+android4, 1.1.0-beta1+android5, 1.1.0-beta1+ios1, 1.1.0-beta1+ios2, 1.1.0-beta1+ios3, 1.1.0-beta1+ios4, 1.2.0, 1.2.0+android7, 1.2.0+android9, 1.2.0-beta1+android7, 1.2.0-beta1+android9, 2.0.0, 2.0.0+android10, 2.0.0+android11, 2.0.0-beta1+android10, 2.0.0-beta1+android11, 2.0.0-rc0, 2.0.0-rc1, 2.0.0-rc2, 2.0.0-rc3, 2.0.0-rc4, 2.1.0, 2.1.1

CPE External links

http://www.freerdp.com/2020/06/22/2_1_2-released
https://github.com/FreeRDP/FreeRDP/commit/6ade7b4cbfd71c54b3d724e8f2d6ac76a58e879a
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-977w-866x-4v5h

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Out-of-bounds read

Risk: Medium

CVSSv3: 6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-11098

CWE-ID: CWE-125 - Out-of-bounds Read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in "glyph_cache_put" when "+glyph-cache" option is enabled. A remote attacker can trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

FreeRDP: 1.0, 1.0-beta1, 1.0-beta2, 1.0-beta3, 1.0-beta4, 1.0-beta5, 1.0.0, 1.0.1, 1.0.2, 1.0.2-rc1, 1.0.2-rc2, 1.1.0, 1.1.0+android2, 1.1.0+android3, 1.1.0+android4, 1.1.0+android5, 1.1.0+ios1, 1.1.0+ios2, 1.1.0+ios3, 1.1.0+ios4, 1.1.0-beta+2013071101, 1.1.0-beta1, 1.1.0-beta1+android2, 1.1.0-beta1+android3, 1.1.0-beta1+android4, 1.1.0-beta1+android5, 1.1.0-beta1+ios1, 1.1.0-beta1+ios2, 1.1.0-beta1+ios3, 1.1.0-beta1+ios4, 1.2.0, 1.2.0+android7, 1.2.0+android9, 1.2.0-beta1+android7, 1.2.0-beta1+android9, 2.0.0, 2.0.0+android10, 2.0.0+android11, 2.0.0-beta1+android10, 2.0.0-beta1+android11, 2.0.0-rc0, 2.0.0-rc1, 2.0.0-rc2, 2.0.0-rc3, 2.0.0-rc4, 2.1.0, 2.1.1

CPE External links

http://www.freerdp.com/2020/06/22/2_1_2-released
https://github.com/FreeRDP/FreeRDP/commit/c0fd449ec0870b050d350d6d844b1ea6dad4bc7d
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-jr57-f58x-hjmv

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Out-of-bounds read

Risk: Medium

CVSSv3: 6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-11097

CWE-ID: CWE-125 - Out-of-bounds Read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in "ntlm_av_pair_get". A remote attacker can trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

FreeRDP: 1.0, 1.0-beta1, 1.0-beta2, 1.0-beta3, 1.0-beta4, 1.0-beta5, 1.0.0, 1.0.1, 1.0.2, 1.0.2-rc1, 1.0.2-rc2, 1.1.0, 1.1.0+android2, 1.1.0+android3, 1.1.0+android4, 1.1.0+android5, 1.1.0+ios1, 1.1.0+ios2, 1.1.0+ios3, 1.1.0+ios4, 1.1.0-beta+2013071101, 1.1.0-beta1, 1.1.0-beta1+android2, 1.1.0-beta1+android3, 1.1.0-beta1+android4, 1.1.0-beta1+android5, 1.1.0-beta1+ios1, 1.1.0-beta1+ios2, 1.1.0-beta1+ios3, 1.1.0-beta1+ios4, 1.2.0, 1.2.0+android7, 1.2.0+android9, 1.2.0-beta1+android7, 1.2.0-beta1+android9, 2.0.0, 2.0.0+android10, 2.0.0+android11, 2.0.0-beta1+android10, 2.0.0-beta1+android11, 2.0.0-rc0, 2.0.0-rc1, 2.0.0-rc2, 2.0.0-rc3, 2.0.0-rc4, 2.1.0, 2.1.1

CPE External links

http://www.freerdp.com/2020/06/22/2_1_2-released
https://github.com/FreeRDP/FreeRDP/commit/58a3122250d54de3a944c487776bcd4d1da4721e
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c8x2-c3c9-9r3f

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Out-of-bounds read

Risk: Medium

CVSSv3: 6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-11096

CWE-ID: CWE-125 - Out-of-bounds Read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in "update_read_cache_bitmap_v3_order". A remote attacker can trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

FreeRDP: 1.0, 1.0-beta1, 1.0-beta2, 1.0-beta3, 1.0-beta4, 1.0-beta5, 1.0.0, 1.0.1, 1.0.2, 1.0.2-rc1, 1.0.2-rc2, 1.1.0, 1.1.0+android2, 1.1.0+android3, 1.1.0+android4, 1.1.0+android5, 1.1.0+ios1, 1.1.0+ios2, 1.1.0+ios3, 1.1.0+ios4, 1.1.0-beta+2013071101, 1.1.0-beta1, 1.1.0-beta1+android2, 1.1.0-beta1+android3, 1.1.0-beta1+android4, 1.1.0-beta1+android5, 1.1.0-beta1+ios1, 1.1.0-beta1+ios2, 1.1.0-beta1+ios3, 1.1.0-beta1+ios4, 1.2.0, 1.2.0+android7, 1.2.0+android9, 1.2.0-beta1+android7, 1.2.0-beta1+android9, 2.0.0, 2.0.0+android10, 2.0.0+android11, 2.0.0-beta1+android10, 2.0.0-beta1+android11, 2.0.0-rc0, 2.0.0-rc1, 2.0.0-rc2, 2.0.0-rc3, 2.0.0-rc4, 2.1.0, 2.1.1

CPE External links

http://www.freerdp.com/2020/06/22/2_1_2-released
https://github.com/FreeRDP/FreeRDP/commit/b8beb55913471952f92770c90c372139d78c16c0
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mjw7-3mq2-996x

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Out-of-bounds read

Risk: Medium

CVSSv3: 6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-11095

CWE-ID: CWE-125 - Out-of-bounds Read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in "update_recv_primary_order". A remote attacker can trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

FreeRDP: 1.0, 1.0-beta1, 1.0-beta2, 1.0-beta3, 1.0-beta4, 1.0-beta5, 1.0.0, 1.0.1, 1.0.2, 1.0.2-rc1, 1.0.2-rc2, 1.1.0, 1.1.0+android2, 1.1.0+android3, 1.1.0+android4, 1.1.0+android5, 1.1.0+ios1, 1.1.0+ios2, 1.1.0+ios3, 1.1.0+ios4, 1.1.0-beta+2013071101, 1.1.0-beta1, 1.1.0-beta1+android2, 1.1.0-beta1+android3, 1.1.0-beta1+android4, 1.1.0-beta1+android5, 1.1.0-beta1+ios1, 1.1.0-beta1+ios2, 1.1.0-beta1+ios3, 1.1.0-beta1+ios4, 1.2.0, 1.2.0+android7, 1.2.0+android9, 1.2.0-beta1+android7, 1.2.0-beta1+android9, 2.0.0, 2.0.0+android10, 2.0.0+android11, 2.0.0-beta1+android10, 2.0.0-beta1+android11, 2.0.0-rc0, 2.0.0-rc1, 2.0.0-rc2, 2.0.0-rc3, 2.0.0-rc4, 2.1.0, 2.1.1

CPE External links

http://www.freerdp.com/2020/06/22/2_1_2-released
https://github.com/FreeRDP/FreeRDP/commit/733ee3208306b1ea32697b356c0215180fc3f049
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-563r-pvh7-4fw2

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Out-of-bounds read

Risk: Medium

CVSSv3: 6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-4033

CWE-ID: CWE-125 - Out-of-bounds Read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in RLEDECOMPRESS. A remote attacker can trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

FreeRDP: 1.0, 1.0-beta1, 1.0-beta2, 1.0-beta3, 1.0-beta4, 1.0-beta5, 1.0.0, 1.0.1, 1.0.2, 1.0.2-rc1, 1.0.2-rc2, 1.1.0, 1.1.0+android2, 1.1.0+android3, 1.1.0+android4, 1.1.0+android5, 1.1.0+ios1, 1.1.0+ios2, 1.1.0+ios3, 1.1.0+ios4, 1.1.0-beta+2013071101, 1.1.0-beta1, 1.1.0-beta1+android2, 1.1.0-beta1+android3, 1.1.0-beta1+android4, 1.1.0-beta1+android5, 1.1.0-beta1+ios1, 1.1.0-beta1+ios2, 1.1.0-beta1+ios3, 1.1.0-beta1+ios4, 1.2.0, 1.2.0+android7, 1.2.0+android9, 1.2.0-beta1+android7, 1.2.0-beta1+android9, 2.0.0, 2.0.0+android10, 2.0.0+android11, 2.0.0-beta1+android10, 2.0.0-beta1+android11, 2.0.0-rc0, 2.0.0-rc1, 2.0.0-rc2, 2.0.0-rc3, 2.0.0-rc4, 2.1.0, 2.1.1

CPE External links

http://www.freerdp.com/2020/06/22/2_1_2-released
https://github.com/FreeRDP/FreeRDP/commit/0a98c450c58ec150e44781c89aa6f8e7e0f571f5
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7rhj-856w-82p8

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Incorrect Conversion between Numeric Types

Risk: Medium

CVSSv3: 6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-4032

CWE-ID: CWE-681 - Incorrect Conversion between Numeric Types

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information on the system.

The vulnerability exists due to an integer casting issue in "update_recv_secondary_order". A remote attacker can gain access to sensitive information on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

FreeRDP: 1.0, 1.0-beta1, 1.0-beta2, 1.0-beta3, 1.0-beta4, 1.0-beta5, 1.0.0, 1.0.1, 1.0.2, 1.0.2-rc1, 1.0.2-rc2, 1.1.0, 1.1.0+android2, 1.1.0+android3, 1.1.0+android4, 1.1.0+android5, 1.1.0+ios1, 1.1.0+ios2, 1.1.0+ios3, 1.1.0+ios4, 1.1.0-beta+2013071101, 1.1.0-beta1, 1.1.0-beta1+android2, 1.1.0-beta1+android3, 1.1.0-beta1+android4, 1.1.0-beta1+android5, 1.1.0-beta1+ios1, 1.1.0-beta1+ios2, 1.1.0-beta1+ios3, 1.1.0-beta1+ios4, 1.2.0, 1.2.0+android7, 1.2.0+android9, 1.2.0-beta1+android7, 1.2.0-beta1+android9, 2.0.0, 2.0.0+android10, 2.0.0+android11, 2.0.0-beta1+android10, 2.0.0-beta1+android11, 2.0.0-rc0, 2.0.0-rc1, 2.0.0-rc2, 2.0.0-rc3, 2.0.0-rc4, 2.1.0, 2.1.1

CPE External links

http://www.freerdp.com/2020/06/22/2_1_2-released
https://github.com/FreeRDP/FreeRDP/commit/e7bffa64ef5ed70bac94f823e2b95262642f5296
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3898-mc89-x2vc

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Use-after-free

Risk: High

CVSSv3: 8.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-4031

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in "gdi_SelectObject" when using compatibility mode with /relax-order-checks. A remote attacker can execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

FreeRDP: 1.0, 1.0-beta1, 1.0-beta2, 1.0-beta3, 1.0-beta4, 1.0-beta5, 1.0.0, 1.0.1, 1.0.2, 1.0.2-rc1, 1.0.2-rc2, 1.1.0, 1.1.0+android2, 1.1.0+android3, 1.1.0+android4, 1.1.0+android5, 1.1.0+ios1, 1.1.0+ios2, 1.1.0+ios3, 1.1.0+ios4, 1.1.0-beta+2013071101, 1.1.0-beta1, 1.1.0-beta1+android2, 1.1.0-beta1+android3, 1.1.0-beta1+android4, 1.1.0-beta1+android5, 1.1.0-beta1+ios1, 1.1.0-beta1+ios2, 1.1.0-beta1+ios3, 1.1.0-beta1+ios4, 1.2.0, 1.2.0+android7, 1.2.0+android9, 1.2.0-beta1+android7, 1.2.0-beta1+android9, 2.0.0, 2.0.0+android10, 2.0.0+android11, 2.0.0-beta1+android10, 2.0.0-beta1+android11, 2.0.0-rc0, 2.0.0-rc1, 2.0.0-rc2, 2.0.0-rc3, 2.0.0-rc4, 2.1.0, 2.1.1

CPE External links

http://www.freerdp.com/2020/06/22/2_1_2-released
https://github.com/FreeRDP/FreeRDP/commit/6d86e20e1e7caaab4f0c7f89e36d32914dbccc52
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-gwcq-hpq2-m74g

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.