1841199 – (CVE-2020-13398) CVE-2020-13398 freerdp: Out-of-bounds write in crypto_rsa_common in libfreerdp/crypto/crypto.c

Bug 1841199 (CVE-2020-13398) - CVE-2020-13398 freerdp: Out-of-bounds write in crypto_rsa_common in libfreerdp/crypto/crypto.c

Summary: CVE-2020-13398 freerdp: Out-of-bounds write in crypto_rsa_common in libfreerd...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-13398
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1841200 1841201 1841974 1841975 1841976 1841977 1841978 1841979 1841980
Blocks:	1841202
TreeView+	depends on / blocked

Reported:	2020-05-28 15:48 UTC by Michael Kaplan
Modified:	2023-10-06 20:18 UTC (History)
CC List:	5 users (show)
Fixed In Version:	freerdp 2.1.1
Doc Type:	If docs needed, set a value
Doc Text:	An issue was found in freerdp's libfreerdp/crypto/crypto.c, in versions before 2.1.1, where buffer access with an incorrect length value, leads to an out-of-bounds write. This flaw allows a remote, unauthenticated, attacker running an RDP server, or a local attacker, using a specially crafted certificate, to cause an out-of-bounds write into client process memory, corrupting the integrity of the data used in the RSA encryption functionality, or causing a denial of service.
Clone Of:
Environment:
Last Closed:	2020-06-04 23:20:35 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:2405	None	None	None	2020-06-05 09:24:09 UTC
Red Hat Product Errata	RHSA-2020:2406	None	None	None	2020-06-04 19:55:59 UTC
Red Hat Product Errata	RHSA-2020:2407	None	None	None	2020-06-04 21:08:27 UTC
Red Hat Product Errata	RHSA-2020:2415	None	None	None	2020-06-08 09:28:32 UTC
Red Hat Product Errata	RHSA-2020:2417	None	None	None	2020-06-08 09:21:12 UTC

Description Michael Kaplan 2020-05-28 15:48:35 UTC

An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB) write vulnerability has been detected in crypto_rsa_common in libfreerdp/crypto/crypto.c.

Upstream Commits:

https://github.com/FreeRDP/FreeRDP/commit/8305349a943c68b1bc8c158f431dc607655aadea
https://github.com/FreeRDP/FreeRDP/commit/8fb6336a4072abcee8ce5bd6ae91104628c7bb69

Comment 1 Michael Kaplan 2020-05-28 15:49:30 UTC

Created freerdp tracking bugs for this issue:

Affects: epel-all [bug 1841200]
Affects: fedora-all [bug 1841201]

Comment 2 Todd Cullum 2020-05-29 23:29:15 UTC

Technical Summary:

The vulnerable function's signature is:

static int crypto_rsa_common(const BYTE* input, int length, UINT32 key_length, const BYTE* modulus,
                             const BYTE* exponent, int exponent_size, BYTE* output)

There was a call to malloc: input_reverse = (BYTE*)malloc(2 * key_length + exponent_size) and subsequently, a call to: memcpy(input_reverse, input, length). It was possible for length to be unequal to the allocated memory size of 2 * key_length + exponent_size, which could cause a heap buffer overflow in the memory pointed to by input_reverse. The patch ensures that the length cannot be longer than the allocation size, initializes the allocated memory to zero using calloc, and performs several other length checks.

Comment 3 Todd Cullum 2020-05-30 00:04:07 UTC

The vulnerable crypto_rsa_common() is used by both crypto_rsa_public_encrypt() and crypto_rsa_public_decrypt(). However, the input value to the system which could be used for exploitation appears to be only locally modifiable.

Comment 5 Todd Cullum 2020-05-30 00:15:44 UTC

There are other values used in the computation which could be remotely modifiable.

Comment 8 RaTasha Tillery-Smith 2020-06-03 12:20:17 UTC

Mitigation:

To mitigate this flaw, only make connection attempts to trusted RDP servers from the RDP client application.

Comment 9 errata-xmlrpc 2020-06-04 19:55:58 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:2406 https://access.redhat.com/errata/RHSA-2020:2406

Comment 10 errata-xmlrpc 2020-06-04 21:08:25 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2407 https://access.redhat.com/errata/RHSA-2020:2407

Comment 11 Product Security DevOps Team 2020-06-04 23:20:35 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-13398

Comment 12 errata-xmlrpc 2020-06-05 09:24:07 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2405 https://access.redhat.com/errata/RHSA-2020:2405

Comment 13 errata-xmlrpc 2020-06-08 09:21:10 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:2417 https://access.redhat.com/errata/RHSA-2020:2417

Comment 14 errata-xmlrpc 2020-06-08 09:28:31 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2415 https://access.redhat.com/errata/RHSA-2020:2415

Note You need to log in before you can comment on or make changes to this bug.