Bug 1848012 (CVE-2020-11019)

Summary: CVE-2020-11019 freerdp: Out of bound read in update_recv could result in a crash
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: mads, mailinglists, negativo17, oholy, pahan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: freerdp 2.1.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-29 22:01:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1848013, 1848014, 1850697, 1850699    
Bug Blocks: 1848044    

Description Michael Kaplan 2020-06-17 14:25:23 UTC 
In FreeRDP less than or equal to 2.0.0, when running with logger set to "WLOG_TRACE", a possible crash of application could occur due to a read of an invalid array index. Data could be printed as string to local terminal. This has been fixed in 2.1.0.

References:

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-wvrr-2f4r-hjvh
https://pub.freerdp.com/cve/CVE-2020-11019/
Comment 1 Michael Kaplan 2020-06-17 14:25:48 UTC 
Created freerdp tracking bugs for this issue:

Affects: fedora-all [bug 1848013]


Created freerdp1.2 tracking bugs for this issue:

Affects: fedora-all [bug 1848014]
Comment 2 Todd Cullum 2020-06-24 18:07:05 UTC 
Technical Summary:

This flaw is in the update_recv() routine of libfreerdp/core/update.c. A UINT16, updateType, is parsed from the input stream and then used in an array index. There is no check in place to make sure that updateType isn't larger than the array size. If a malicious client sent a UINT16 of the improper size, it would be used to index the UPDATE_TYPE_STRINGS[] array, which would cause an out-of-bounds read. Since this read is being sent to WLog_Print, garbage data could also be entered into the log and/or printed on the server. The patch uses the update_type_to_string() routine, which only indexes the array if it will not go out-of-bounds. Since this flaw occurs during trace level logging, it is possible to mitigate the flaw by not setting the server log level to trace.

Upstream patch: https://github.com/FreeRDP/FreeRDP/commit/0332cad015fdf7fac7e5c6863484f18a554e0fcf
Comment 3 Todd Cullum 2020-06-24 18:11:39 UTC 
Mitigation:

This flaw can be mitigated by not setting the logging level to "trace" on the freerdp server.
Comment 5 errata-xmlrpc 2020-09-29 20:44:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4031 https://access.redhat.com/errata/RHSA-2020:4031
Comment 6 Product Security DevOps Team 2020-09-29 22:01:46 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-11019
Comment 7 errata-xmlrpc 2020-11-04 02:39:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4647 https://access.redhat.com/errata/RHSA-2020:4647