Red Hat Bugzilla – Bug 1475224
CVE-2017-2834 freerdp: Out-of-bounds write in license_recv()
Last modified: 2017-08-07 09:59:06 EDT
An exploitable code execution vulnerability exists in the authentication functionality of FreeRDP 2.0.0-beta1+android11. A specially crafted server response can cause an out-of-bounds write resulting in an exploitable condition. An attacker can compromise the server or use a man in the middle attack to trigger this vulnerability. The vulnerability is located in the license server handling. The license message sent by the server contains a length field, which is not correctly verified by FreeRDP. For internal purposes, the library decreases this value by 4, if the server is sent a value inferior to 3, this will result in a negative value and the writing of packet contents outside of the allocated buffer in memory. This vulnerability can allow the execution of arbitrary code on the FreeRDP client side. External References: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0336 http://blog.talosintelligence.com/2017/07/vulnerbility-spotlight-freerdp-multiple.html
Created freerdp tracking bugs for this issue: Affects: epel-6 [bug 1475247] Affects: fedora-all [bug 1475246] Created freerdp1.2 tracking bugs for this issue: Affects: fedora-all [bug 1475245]
Patch: https://github.com/FreeRDP/FreeRDP/pull/4055/commits/8292b4558f0684065ce1f58db7783cc426099223
Statement: Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.