In FreeRDP less than or equal to 2.0.0, an Integer Overflow to Buffer Overflow exists. When using /video redirection, a manipulated server can instruct the client to allocate a buffer with a smaller size than requested due to an integer overflow in size calculation. With later messages, the server can manipulate the client to write data out of bound to the previously allocated buffer. This has been patched in 2.1.0. References: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-h25x-cqr6-fp6g https://pub.freerdp.com/cve/CVE-2020-11038/
Created freerdp tracking bugs for this issue: Affects: fedora-all [bug 1848019] Created freerdp1.2 tracking bugs for this issue: Affects: fedora-all [bug 1848020]
Technical Summary: This flaw exists in the freerdp CLIENT application in channels/video/client/video_main.c. The video_read_tsmm_presentation_req() routine reads the width & height of a video presentation from the input stream with data coming from the server. It passes the width & height to video_PresentationRequest(), and then to PresentationContext_new(), which computes the size requested during a memory allocation with BufferPool_Take(). BufferPool_Take()'s size parameter is of type int. An untrusted or compromised freerdp server could provide bogus width & height data in the stream, which would cause a memory allocation of an improper size due to integer overflow, and could subsequently cause an out-of-bounds write on the client, triggering a crash or memory corruption. The patch checks to ensure that the value passed to BufferPool_Take() is less than INT32_MAX in PresentationContext_new(). It also stores the width * height result in a size_t variable. Upstream patch: https://github.com/FreeRDP/FreeRDP/commit/06c32f170093a6ecde93e3bc07fed6a706bfbeb3
Mitigation: This flaw can be mitigated by deactivating video redirection on the client side and not using /video.
I changed the impact to Low because this affects only the client, would require connecting to a compromised/untrusted server, and exploitation would not lead to a persistent denial of service.
Statement: Although this flaw affects versions of freerdp shipped with Red Hat Enterprise Linux 7 and 8, Red Hat Product Security views this flaw as having low impact because it only affects the freerdp client, the user must connect to an untrusted or compromised server, and it would not lead to a persistent denial of service if exploited.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4031 https://access.redhat.com/errata/RHSA-2020:4031
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-11038
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4647 https://access.redhat.com/errata/RHSA-2020:4647