#VU27971 Out-of-bounds read in FreeRDP


Published: 2020-05-18

Vulnerability identifier: #VU27971

Vulnerability risk: Medium

CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-11526

CWE-ID: CWE-125

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
FreeRDP
Universal components / Libraries / Libraries used by multiple products

Vendor: FreeRDP

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack

The vulnerability exists due to a boundary condition in "update_recv_secondary_order" function in the "libfreerdp/core/update.c" file. A remote attacker can trigger out-of-bounds read error and cause a denial of service condition on the target system.

Note: This vulnerability affects verions greater than 1.1

Mitigation
Install updates from vendor's website.

Vulnerable software versions

FreeRDP: 2.0.0 rc4

External links
http://github.com/FreeRDP/FreeRDP/commits/master
http://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-97jw-m5w5-xvf9
http://pub.freerdp.com/cve/CVE-2020-11526/pocAnalysis_4.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability


openEuler update for freerdp
Red Hat Enterprise Linux 8 update for freerdp and vinagre
Red Hat Enterprise Linux 7 update for freerdp
OpenSUSE Linux update for freerdp
Gentoo update for FreeRDP
Multiple vulnerabilities in FreeRDP
Out-of-bounds read in freerdp (Alpine package)