In FreeRDP less than or equal to 2.0.0, an outside controlled array index is used unchecked for data used as configuration for sound backend (alsa, oss, pulse, ...). The most likely outcome is a crash of the client instance followed by no or distorted sound or a session disconnect. If a user cannot upgrade to the patched version, a workaround is to disable sound for the session. This has been patched in 2.1.0. References: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-w67c-26c4-2h9w https://pub.freerdp.com/cve/CVE-2020-11041/
Created freerdp tracking bugs for this issue: Affects: fedora-all [bug 1848035] Created freerdp1.2 tracking bugs for this issue: Affects: fedora-all [bug 1848036]
This flaw affects the freerdp CLIENT. In cases where wFormatNo is greater than the size of &rdpsnd->ClientFormats in rdpsnd_recv_wave2_pdu() of /channels/rdpsnd/client/rdpsnd_main.c, there will be an out-of-bounds read in rdpsnd_ensure_device_is_open(). This is because there is no input validation on wFormatNo which is parsed from a stream from the server. This seems like a very low risk of exploitation and would only affect a client that has connected to an untrusted or compromised server. Likely, it's more of a reliability issue than anything else.
Mitigation: Disable sound for the rdp session in the client.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4031 https://access.redhat.com/errata/RHSA-2020:4031
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-11041
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4647 https://access.redhat.com/errata/RHSA-2020:4647