In FreeRDP less than or equal to 2.0.0, there is an out-of-bound read in ntlm_read_AuthenticateMessage. This has been fixed in 2.1.0. Reference: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-84vj-g73m-chw7 Upstream commit: https://github.com/FreeRDP/FreeRDP/commit/8241ab42fdf0cc89cf69fc574bf6360c9977a0d4
Created freerdp tracking bugs for this issue: Affects: epel-6 [bug 1844174] Affects: fedora-all [bug 1844172] Created freerdp1.2 tracking bugs for this issue: Affects: epel-7 [bug 1844176] Affects: fedora-all [bug 1844175]
Technical Summary: The fields->Len member is retrieved from the stream and can be controlled by user input. First, the call ntlm_read_message_fields(s, &(message->NtChallengeResponse) reads in the NtChallengeResponse message data from the stream, including the fields->Len. Subsequently, the code: wStream* snt = Stream_New(message->NtChallengeResponse.Buffer, message->NtChallengeResponse.Len); computes the stream pointer and is passed to ntlm_read_ntlm_v2_response(), which could cause an out-of-bounds read of 16+ bytes originating at snt. The patch for this uses Stream_GetRemainingLength() to avoid overreading the buffer and adds SECURITY_STATUS error reporting.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4031 https://access.redhat.com/errata/RHSA-2020:4031
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-11087
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4647 https://access.redhat.com/errata/RHSA-2020:4647