SB2023090425 - Multiple vulnerabilities in FreeRDP
Published: September 4, 2023 Updated: September 4, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 17 secuirty vulnerabilities.
1) Out-of-bounds read (CVE-ID: CVE-2023-40575)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition in general_YUV444ToRGB_8u_P3AC4R_BGRX. A remote attacker can trigger an out-of-bounds read error and cause a denial of service condition on the target system.
2) Integer underflow (CVE-ID: CVE-2023-40181)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer underflow in zgfx_decompress_segment. A remote attacker can send a specially crafted request to the affected application, trigger integer underflow and cause a denial of service condition on the target system.
3) Use-after-free (CVE-ID: CVE-2023-39355)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in RDPGFX_CMDID_RESETGRAPHICS. A remote attacker can cause unexpected behavior.
4) Use-after-free (CVE-ID: CVE-2023-40187)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in avc420_ensure_buffer, avc444_ensure_buffer. A remote attacker can cause unexpected behavior.
5) Out-of-bounds read (CVE-ID: CVE-2023-40188)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition in general_LumaToYUV444. A remote attacker can trigger an out-of-bounds read error and cause a denial of service condition on the target system.
6) Out-of-bounds write (CVE-ID: CVE-2023-40567)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input in clear_decompress_bands_data. A remote attacker can trigger an out-of-bounds write and execute arbitrary code on the target system.
7) Out-of-bounds write (CVE-ID: CVE-2023-40569)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input in progressive_decompress. A remote attacker can trigger an out-of-bounds write and execute arbitrary code on the target system.
8) Out-of-bounds read (CVE-ID: CVE-2023-40576)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition in RleDecompress. A remote attacker can trigger an out-of-bounds read error and cause a denial of service condition on the system.
9) Out-of-bounds write (CVE-ID: CVE-2023-40574)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input in general_YUV444ToRGB_8u_P3AC4R_BGRX. A remote attacker can trigger an out-of-bounds write and execute arbitrary code on the target system.
10) Buffer overflow (CVE-ID: CVE-2023-40589)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in ncrush_decompress. A remote attacker can trigger memory corruption and cause a denial of service condition on the target system.
11) NULL pointer dereference (CVE-ID: CVE-2023-39351)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error within the rfx_process_message_tileset() function in libfreerdp/codec/rfx.c in RemoteFX. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
12) Out-of-bounds read (CVE-ID: CVE-2023-39354)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition in nsc_rle_decompress_data() function in libfreerdp/codec/nsc.c. A remote user can send specially crafted data to the application, trigger an out-of-bounds read error and perform a denial of service (DoS) attack.
13) Out-of-bounds read (CVE-ID: CVE-2023-39356)
The vulnerability allows a remote attacker to perform denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within the gdi_multi_opaque_rect() function. A remote attacker can send specially crafted packets to the application, trigger an out-of-bounds read error and perform a denial of service (DoS) attack.
14) Integer overflow (CVE-ID: CVE-2023-40186)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow within the gdi_CreateSurface() function in libfreerdp/gdi/gfx.c. A remote attacker can pass specially crafted data to the application, trigger an integer overflow and execute arbitrary code on the target system.
15) Out-of-bounds write (CVE-ID: CVE-2023-39352)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error in libfreerdp/gdi/gfx.c. A remote attacker can send specially crafted data to the application, trigger an out-of-bounds write and execute arbitrary code on the target system.
16) Out-of-bounds read (CVE-ID: CVE-2023-39353)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition in libfreerdp/codec/rfx.c. A remote attacker can trigger an out-of-bounds read error and perform a denial of service (DoS) attack.
17) Integer underflow (CVE-ID: CVE-2023-39350)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer underflow caused by incorrect offset calculation. A remote attacker can send specially crafted data to the affected application, trigger an integer underflow and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c6vw-92h9-5w9v
- https://github.com/FreeRDP/FreeRDP/blob/5be5553e0da72178a4b94cc1ffbdace9ceb153e5/libfreerdp/primitives/prim_YUV.c#L414-L445
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mxp4-rx7x-h2g8
- https://github.com/FreeRDP/FreeRDP/blob/2252d53001d9ce8a452f0a0a5b1f5ed9db6d57f1/libfreerdp/codec/zgfx.c#L256-L261
- https://github.com/FreeRDP/FreeRDP/blob/2252d53001d9ce8a452f0a0a5b1f5ed9db6d57f1/libfreerdp/codec/zgfx.c#L334-L355
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hvwj-vmg6-2f5h
- https://github.com/FreeRDP/FreeRDP/commit/d6f9d33a7db0b346195b6a15b5b99944ba41beee
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-pwf9-v5p9-ch4f
- https://github.com/FreeRDP/FreeRDP/blob/5be5553e0da72178a4b94cc1ffbdace9ceb153e5/libfreerdp/codec/h264.c#L413-L427
- https://github.com/FreeRDP/FreeRDP/blob/5be5553e0da72178a4b94cc1ffbdace9ceb153e5/libfreerdp/codec/nsc.c#L115-L175
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9w28-wwj5-p4xq
- https://github.com/FreeRDP/FreeRDP/blob/5be5553e0da72178a4b94cc1ffbdace9ceb153e5/libfreerdp/codec/clear.c#L843-L845
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-2w9f-8wg4-8jfp
- https://github.com/FreeRDP/FreeRDP/blob/5be5553e0da72178a4b94cc1ffbdace9ceb153e5/libfreerdp/codec/clear.c#L612-L618
- https://github.com/FreeRDP/FreeRDP/blob/5be5553e0da72178a4b94cc1ffbdace9ceb153e5/libfreerdp/codec/progressive.c#L2598-L2616
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hm8c-rcjg-c8qp
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-x3x5-r7jm-5pq2
- https://github.com/FreeRDP/FreeRDP/blob/5be5553e0da72178a4b94cc1ffbdace9ceb153e5/libfreerdp/codec/include/bitmap.c#L94-L113
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-422p-gj6x-93cw
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-gc34-mw6m-g42x
- https://github.com/FreeRDP/FreeRDP/commit/16141a30f983dd6f7a6e5b0356084171942c9416
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q9x9-cqjc-rgwq
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c3r2-pxxp-f8r6
- https://github.com/FreeRDP/FreeRDP/commit/cd1da25a87358eb3b5512fd259310e95b19a05ec
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q5v5-qhj5-mh6m
- https://github.com/FreeRDP/FreeRDP/blob/63a2f65618748c12f79ff7450d46c6e194f2db76/libfreerdp/gdi/gdi.c#L723C1-L758
- https://github.com/FreeRDP/FreeRDP/blob/63a2f65618748c12f79ff7450d46c6e194f2db76/libfreerdp/core/orders.c#L1503-L1504
- https://github.com/FreeRDP/FreeRDP/blob/63a2f65618748c12f79ff7450d46c6e194f2db76/include/freerdp/primary.h#L186-L196
- https://github.com/FreeRDP/FreeRDP/blob/fee2b10ba1154f952769a53eb608f044782e22f8/libfreerdp/gdi/gfx.c#L1156-L1165
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hcj4-3c3r-5j3v
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-whwr-qcf2-2mvj
- https://github.com/FreeRDP/FreeRDP/blob/63a2f65618748c12f79ff7450d46c6e194f2db76/libfreerdp/gdi/gfx.c#L1219-L1239
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hg53-9j9h-3c8f
- https://github.com/FreeRDP/FreeRDP/blob/63a2f65618748c12f79ff7450d46c6e194f2db76/libfreerdp/codec/rfx.c#L994-L996
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rrrv-3w42-pffh
- https://github.com/FreeRDP/FreeRDP/commit/e204fc8be5a372626b13f66daf2abafe71dbc2dc