Bug 1841196 (CVE-2020-13397) - CVE-2020-13397 freerdp: Out-of-bounds read in security_fips_decrypt in libfreerdp/core/security.c
Summary: CVE-2020-13397 freerdp: Out-of-bounds read in security_fips_decrypt in libfre...
Keywords:
Status: NEW
Alias: CVE-2020-13397
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1841197 1845752 1845753 1841198
Blocks: 1841202
TreeView+ depends on / blocked
 
Reported: 2020-05-28 15:46 UTC by Michael Kaplan
Modified: 2020-06-10 01:31 UTC (History)
4 users (show)

Fixed In Version: freerdp 2.1.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Michael Kaplan 2020-05-28 15:46:30 UTC
An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB) read vulnerability has been detected in security_fips_decrypt in libfreerdp/core/security.c due to an uninitialized value.

Upstream Commits:

https://github.com/FreeRDP/FreeRDP/commit/8fb6336a4072abcee8ce5bd6ae91104628c7bb69
https://github.com/FreeRDP/FreeRDP/commit/d6cd14059b257318f176c0ba3ee0a348826a9ef8

Comment 1 Michael Kaplan 2020-05-28 15:46:49 UTC
Created freerdp tracking bugs for this issue:

Affects: epel-all [bug 1841197]


Created freerdp1.2 tracking bugs for this issue:

Affects: fedora-all [bug 1841198]

Comment 2 Todd Cullum 2020-05-29 21:21:13 UTC
Looks like this patch adds a NULL-check on the rdp and fips_decrypt pointers... This would protect against a NULL pointer dereference in functions called within winpr_Cipher_Update but not uninitialized pointer, which could be non-NULL.

Comment 7 Todd Cullum 2020-06-10 01:21:09 UTC
Technical Summary:

The flaw existed because when security_fips_decrypt() in libfreerdp/core/security.c was called, it was possible that rdp->fips_decrypt to be 0-initialized, which would cause an out-of-bounds read when passed to winpr_Cipher_Update(). This may cause a crash or memory information leak. security_fips_decrypt() is called by rdp_decrypt() which is used by the client and server.

Upstream notes that since the rdp and rdp->fips_decrypt memory is allocated using calloc()[1], which initializes the memory to 0, the above patch is sufficient to detect "initialized" memory in this case.

1. https://github.com/FreeRDP/FreeRDP/blob/3ba66db99d72e5a4771a44e1032d7060653a131e/libfreerdp/core/freerdp.c#L640


Note You need to log in before you can comment on or make changes to this bug.