Bug 1841196 (CVE-2020-13397) - CVE-2020-13397 freerdp: Out-of-bounds read in security_fips_decrypt in libfreerdp/core/security.c
Summary: CVE-2020-13397 freerdp: Out-of-bounds read in security_fips_decrypt in libfre...
Alias: CVE-2020-13397
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1841197 1841198 1845752 1845753
Blocks: 1841202
TreeView+ depends on / blocked
Reported: 2020-05-28 15:46 UTC by Michael Kaplan
Modified: 2020-11-04 02:39 UTC (History)
4 users (show)

Fixed In Version: freerdp 2.1.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-09-29 22:01:32 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4031 0 None None None 2020-09-29 20:43:59 UTC
Red Hat Product Errata RHSA-2020:4647 0 None None None 2020-11-04 02:39:01 UTC

Description Michael Kaplan 2020-05-28 15:46:30 UTC
An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB) read vulnerability has been detected in security_fips_decrypt in libfreerdp/core/security.c due to an uninitialized value.

Upstream Commits:


Comment 1 Michael Kaplan 2020-05-28 15:46:49 UTC
Created freerdp tracking bugs for this issue:

Affects: epel-all [bug 1841197]

Created freerdp1.2 tracking bugs for this issue:

Affects: fedora-all [bug 1841198]

Comment 2 Todd Cullum 2020-05-29 21:21:13 UTC
Looks like this patch adds a NULL-check on the rdp and fips_decrypt pointers... This would protect against a NULL pointer dereference in functions called within winpr_Cipher_Update but not uninitialized pointer, which could be non-NULL.

Comment 7 Todd Cullum 2020-06-10 01:21:09 UTC
Technical Summary:

The flaw existed because when security_fips_decrypt() in libfreerdp/core/security.c was called, it was possible that rdp->fips_decrypt to be 0-initialized, which would cause an out-of-bounds read when passed to winpr_Cipher_Update(). This may cause a crash or memory information leak. security_fips_decrypt() is called by rdp_decrypt() which is used by the client and server.

Upstream notes that since the rdp and rdp->fips_decrypt memory is allocated using calloc()[1], which initializes the memory to 0, the above patch is sufficient to detect "initialized" memory in this case.

1. https://github.com/FreeRDP/FreeRDP/blob/3ba66db99d72e5a4771a44e1032d7060653a131e/libfreerdp/core/freerdp.c#L640

Comment 9 errata-xmlrpc 2020-09-29 20:43:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4031 https://access.redhat.com/errata/RHSA-2020:4031

Comment 10 Product Security DevOps Team 2020-09-29 22:01:32 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 11 errata-xmlrpc 2020-11-04 02:39:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4647 https://access.redhat.com/errata/RHSA-2020:4647

Note You need to log in before you can comment on or make changes to this bug.