An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB) write vulnerability has been detected in crypto_rsa_common in libfreerdp/crypto/crypto.c. Upstream Commits: https://github.com/FreeRDP/FreeRDP/commit/8305349a943c68b1bc8c158f431dc607655aadea https://github.com/FreeRDP/FreeRDP/commit/8fb6336a4072abcee8ce5bd6ae91104628c7bb69
Created freerdp tracking bugs for this issue: Affects: epel-all [bug 1841200] Affects: fedora-all [bug 1841201]
Technical Summary: The vulnerable function's signature is: static int crypto_rsa_common(const BYTE* input, int length, UINT32 key_length, const BYTE* modulus, const BYTE* exponent, int exponent_size, BYTE* output) There was a call to malloc: input_reverse = (BYTE*)malloc(2 * key_length + exponent_size) and subsequently, a call to: memcpy(input_reverse, input, length). It was possible for length to be unequal to the allocated memory size of 2 * key_length + exponent_size, which could cause a heap buffer overflow in the memory pointed to by input_reverse. The patch ensures that the length cannot be longer than the allocation size, initializes the allocated memory to zero using calloc, and performs several other length checks.
The vulnerable crypto_rsa_common() is used by both crypto_rsa_public_encrypt() and crypto_rsa_public_decrypt(). However, the input value to the system which could be used for exploitation appears to be only locally modifiable.
There are other values used in the computation which could be remotely modifiable.
Mitigation: To mitigate this flaw, only make connection attempts to trusted RDP servers from the RDP client application.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2020:2406 https://access.redhat.com/errata/RHSA-2020:2406
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:2407 https://access.redhat.com/errata/RHSA-2020:2407
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-13398
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:2405 https://access.redhat.com/errata/RHSA-2020:2405
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:2417 https://access.redhat.com/errata/RHSA-2020:2417
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:2415 https://access.redhat.com/errata/RHSA-2020:2415