Bug 1848034 (CVE-2020-11041) - CVE-2020-11041 freerdp: Unchecked read of array offset in rdpsnd_recv_wave2_pdu
Summary: CVE-2020-11041 freerdp: Unchecked read of array offset in rdpsnd_recv_wave2_pdu
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-11041
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1848035 1848036 1850828 1850829
Blocks: 1848044
TreeView+ depends on / blocked
 
Reported: 2020-06-17 14:45 UTC by Michael Kaplan
Modified: 2021-02-16 19:51 UTC (History)
5 users (show)

Fixed In Version: freerdp 2.1.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-09-29 22:01:54 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4031 0 None None None 2020-09-29 20:44:30 UTC
Red Hat Product Errata RHSA-2020:4647 0 None None None 2020-11-04 02:39:23 UTC

Description Michael Kaplan 2020-06-17 14:45:37 UTC
In FreeRDP less than or equal to 2.0.0, an outside controlled array index is used unchecked for data used as configuration for sound backend (alsa, oss, pulse, ...). The most likely outcome is a crash of the client instance followed by no or distorted sound or a session disconnect. If a user cannot upgrade to the patched version, a workaround is to disable sound for the session. This has been patched in 2.1.0.

References:

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-w67c-26c4-2h9w
https://pub.freerdp.com/cve/CVE-2020-11041/

Comment 1 Michael Kaplan 2020-06-17 14:46:03 UTC
Created freerdp tracking bugs for this issue:

Affects: fedora-all [bug 1848035]


Created freerdp1.2 tracking bugs for this issue:

Affects: fedora-all [bug 1848036]

Comment 2 Todd Cullum 2020-06-25 01:16:07 UTC
This flaw affects the freerdp CLIENT. In cases where wFormatNo is greater than the size of &rdpsnd->ClientFormats in rdpsnd_recv_wave2_pdu() of /channels/rdpsnd/client/rdpsnd_main.c, there will be an out-of-bounds read in rdpsnd_ensure_device_is_open(). This is because there is no input validation on wFormatNo which is parsed from a stream from the server. This seems like a very low risk of exploitation and would only affect a client that has connected to an untrusted or compromised server. Likely, it's more of a reliability issue than anything else.

Comment 3 Todd Cullum 2020-06-25 01:16:09 UTC
Mitigation:

Disable sound for the rdp session in the client.

Comment 5 errata-xmlrpc 2020-09-29 20:44:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4031 https://access.redhat.com/errata/RHSA-2020:4031

Comment 6 Product Security DevOps Team 2020-09-29 22:01:54 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-11041

Comment 7 errata-xmlrpc 2020-11-04 02:39:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4647 https://access.redhat.com/errata/RHSA-2020:4647


Note You need to log in before you can comment on or make changes to this bug.