Bug 1848034 (CVE-2020-11041)

Summary: CVE-2020-11041 freerdp: Unchecked read of array offset in rdpsnd_recv_wave2_pdu
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: mads, mailinglists, negativo17, oholy, pahan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: freerdp 2.1.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-29 22:01:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1848035, 1848036, 1850828, 1850829    
Bug Blocks: 1848044    

Description Michael Kaplan 2020-06-17 14:45:37 UTC 
In FreeRDP less than or equal to 2.0.0, an outside controlled array index is used unchecked for data used as configuration for sound backend (alsa, oss, pulse, ...). The most likely outcome is a crash of the client instance followed by no or distorted sound or a session disconnect. If a user cannot upgrade to the patched version, a workaround is to disable sound for the session. This has been patched in 2.1.0.

References:

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-w67c-26c4-2h9w
https://pub.freerdp.com/cve/CVE-2020-11041/
Comment 1 Michael Kaplan 2020-06-17 14:46:03 UTC 
Created freerdp tracking bugs for this issue:

Affects: fedora-all [bug 1848035]


Created freerdp1.2 tracking bugs for this issue:

Affects: fedora-all [bug 1848036]
Comment 2 Todd Cullum 2020-06-25 01:16:07 UTC 
This flaw affects the freerdp CLIENT. In cases where wFormatNo is greater than the size of &rdpsnd->ClientFormats in rdpsnd_recv_wave2_pdu() of /channels/rdpsnd/client/rdpsnd_main.c, there will be an out-of-bounds read in rdpsnd_ensure_device_is_open(). This is because there is no input validation on wFormatNo which is parsed from a stream from the server. This seems like a very low risk of exploitation and would only affect a client that has connected to an untrusted or compromised server. Likely, it's more of a reliability issue than anything else.
Comment 3 Todd Cullum 2020-06-25 01:16:09 UTC 
Mitigation:

Disable sound for the rdp session in the client.
Comment 5 errata-xmlrpc 2020-09-29 20:44:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4031 https://access.redhat.com/errata/RHSA-2020:4031
Comment 6 Product Security DevOps Team 2020-09-29 22:01:54 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-11041
Comment 7 errata-xmlrpc 2020-11-04 02:39:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4647 https://access.redhat.com/errata/RHSA-2020:4647