In FreeRDP less than or equal to 2.0.0, when running with logger set to "WLOG_TRACE", a possible crash of application could occur due to a read of an invalid array index. Data could be printed as string to local terminal. This has been fixed in 2.1.0. References: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-wvrr-2f4r-hjvh https://pub.freerdp.com/cve/CVE-2020-11019/
Created freerdp tracking bugs for this issue: Affects: fedora-all [bug 1848013] Created freerdp1.2 tracking bugs for this issue: Affects: fedora-all [bug 1848014]
Technical Summary: This flaw is in the update_recv() routine of libfreerdp/core/update.c. A UINT16, updateType, is parsed from the input stream and then used in an array index. There is no check in place to make sure that updateType isn't larger than the array size. If a malicious client sent a UINT16 of the improper size, it would be used to index the UPDATE_TYPE_STRINGS[] array, which would cause an out-of-bounds read. Since this read is being sent to WLog_Print, garbage data could also be entered into the log and/or printed on the server. The patch uses the update_type_to_string() routine, which only indexes the array if it will not go out-of-bounds. Since this flaw occurs during trace level logging, it is possible to mitigate the flaw by not setting the server log level to trace. Upstream patch: https://github.com/FreeRDP/FreeRDP/commit/0332cad015fdf7fac7e5c6863484f18a554e0fcf
Mitigation: This flaw can be mitigated by not setting the logging level to "trace" on the freerdp server.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4031 https://access.redhat.com/errata/RHSA-2020:4031
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-11019
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4647 https://access.redhat.com/errata/RHSA-2020:4647