Bug 2016403 (CVE-2021-41159)

Summary: CVE-2021-41159 freerdp: improper client input validation for gateway connections allows to overwrite memory
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: extras-orphan, negativo17, oholy, pahan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: FreeRDP 2.4.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the FreeRDP client when it fails to validate input data when using gateway connections. This flaw could allow a malicious gateway to send a specially crafted input to a client leading to an out of bounds write in client memory. The highest threat from this flaw is that it could allow arbitrary code to be executed on the target system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-10 20:01:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2016406, 2016404, 2016405, 2017944, 2017945, 2017946, 2017947, 2017948, 2017949, 2017950    
Bug Blocks: 2016407    

Description Marian Rehak 2021-10-21 13:09:23 UTC 
The vulnerability exists due to a boundary error when processing /gt:rpc connections. A remote server can send specially crafted data to the client, trigger an out-of-bounds write and execute arbitrary code on the target system.

External Reference:

https://www.cybersecurity-help.cz/vulnerabilities/57585/
Comment 1 Marian Rehak 2021-10-21 13:09:45 UTC 
Created freerdp tracking bugs for this issue:

Affects: fedora-all [bug 2016404]


Created freerdp1.2 tracking bugs for this issue:

Affects: epel-7 [bug 2016406]
Affects: fedora-33 [bug 2016405]
Comment 2 Doran Moppert 2021-10-25 05:24:22 UTC 
Upstream patch:

https://github.com/FreeRDP/FreeRDP/pull/7366/commits/f0a0683fa6a3f696c4bc5ba88c128bc781c54895
Comment 4 errata-xmlrpc 2021-11-11 09:50:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:4620 https://access.redhat.com/errata/RHSA-2021:4620
Comment 5 errata-xmlrpc 2021-11-11 10:02:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4622 https://access.redhat.com/errata/RHSA-2021:4622
Comment 6 errata-xmlrpc 2021-11-11 10:03:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:4621 https://access.redhat.com/errata/RHSA-2021:4621
Comment 7 errata-xmlrpc 2021-11-11 10:11:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2021:4623 https://access.redhat.com/errata/RHSA-2021:4623
Comment 8 errata-xmlrpc 2021-11-11 10:19:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:4619 https://access.redhat.com/errata/RHSA-2021:4619
Comment 10 Product Security DevOps Team 2022-03-10 20:01:26 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-41159