Vulnerabilities > CVE-2014-0250 - Numeric Errors vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Multiple integer overflows in client/X11/xf_graphics.c in FreeRDP allow remote attackers to have an unspecified impact via the width and height to the (1) xf_Pointer_New or (2) xf_Bitmap_Decompress function, which causes an incorrect amount of memory to be allocated.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 3 | |
| OS | 2 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2147.NASL description According to the versions of the freerdp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Multiple integer overflows in client/X11/xf_graphics.c in FreeRDP allow remote attackers to have an unspecified impact via the width and height to the (1) xf_Pointer_New or (2) xf_Bitmap_Decompress function, which causes an incorrect amount of memory to be allocated.(CVE-2014-0250) - Integer overflow in the license_read_scope_list function in libfreerdp/core/license.c in FreeRDP through 1.0.2 allows remote RDP servers to cause a denial of service (application crash) or possibly have unspecified other impact via a large ScopeCount value in a Scope List in a Server License Request packet.(CVE-2014-0791) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2019-11-12 plugin id 130856 published 2019-11-12 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130856 title EulerOS 2.0 SP5 : freerdp (EulerOS-SA-2019-2147) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(130856); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07"); script_cve_id( "CVE-2014-0250", "CVE-2014-0791" ); script_bugtraq_id( 64689, 67670 ); script_name(english:"EulerOS 2.0 SP5 : freerdp (EulerOS-SA-2019-2147)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "According to the versions of the freerdp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Multiple integer overflows in client/X11/xf_graphics.c in FreeRDP allow remote attackers to have an unspecified impact via the width and height to the (1) xf_Pointer_New or (2) xf_Bitmap_Decompress function, which causes an incorrect amount of memory to be allocated.(CVE-2014-0250) - Integer overflow in the license_read_scope_list function in libfreerdp/core/license.c in FreeRDP through 1.0.2 allows remote RDP servers to cause a denial of service (application crash) or possibly have unspecified other impact via a large ScopeCount value in a Scope List in a Server License Request packet.(CVE-2014-0791) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2147 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a4d96d55"); script_set_attribute(attribute:"solution", value: "Update the affected freerdp packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"patch_publication_date", value:"2019/10/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/12"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:freerdp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:freerdp-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:freerdp-plugins"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["freerdp-1.0.2-15.h3.eulerosv2r7", "freerdp-libs-1.0.2-15.h3.eulerosv2r7", "freerdp-plugins-1.0.2-15.h3.eulerosv2r7"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "freerdp"); }NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-2506-1.NASL description This update for freerdp fixes the following issues : - CVE-2013-4118: Added a NULL pointer check to fix a server crash (bsc#829013). - CVE-2014-0791: Integer overflow in the license_read_scope_list function in libfreerdp/core/license.c in FreeRDP allowed remote RDP servers to cause a denial of service (application crash) or possibly have unspecified other impact via a large ScopeCount value in a Scope List in a Server License Request packet. (bsc#857491) - CVE-2014-0250: Multiple integer overflows in client/X11/xf_graphics.c in FreeRDP allowed remote attackers to have an unspecified impact via the width and height to the (1) xf_Pointer_New or (2) xf_Bitmap_Decompress function, which causes an incorrect amount of memory to be allocated. (bsc#880317) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 94037 published 2016-10-13 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94037 title SUSE SLED12 Security Update : freerdp (SUSE-SU-2016:2506-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3380-1.NASL description It was discovered that FreeRDP incorrectly handled certain width and height values. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS. (CVE-2014-0250) It was discovered that FreeRDP incorrectly handled certain values in a Scope List. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-0791) Tyler Bohan discovered that FreeRDP incorrectly handled certain length values. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2017-2834, CVE-2017-2835) Tyler Bohan discovered that FreeRDP incorrectly handled certain packets. A malicious server could possibly use this issue to cause FreeRDP to crash, resulting in a denial of service. (CVE-2017-2836, CVE-2017-2837, CVE-2017-2838, CVE-2017-2839). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 102260 published 2017-08-08 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102260 title Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : freerdp vulnerabilities (USN-3380-1) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2015-171.NASL description Updated freerdp packages fix security vulnerabilities : Integer overflows in memory allocations in client/X11/xf_graphics.c in FreeRDP through 1.0.2 allows remote RDP servers to have an unspecified impact through unspecified vectors (CVE-2014-0250). Integer overflow in the license_read_scope_list function in libfreerdp/core/license.c in FreeRDP through 1.0.2 allows remote RDP servers to cause a denial of service (application crash) or possibly have unspecified other impact via a large ScopeCount value in a Scope List in a Server License Request packet (CVE-2014-0791). last seen 2020-06-01 modified 2020-06-02 plugin id 82447 published 2015-03-31 reporter This script is Copyright (C) 2015-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82447 title Mandriva Linux Security Advisory : freerdp (MDVSA-2015:171) NASL family SuSE Local Security Checks NASL id OPENSUSE-2014-452.NASL description freerdp was patched to fix several integer overflows. These security issues were fixed : - Integer overflow (CVE-2014-0791) - Integer overflows in memory allocations in client/X11/xf_graphics.c (CVE-2014-0250) last seen 2020-06-05 modified 2014-07-02 plugin id 76343 published 2014-07-02 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76343 title openSUSE Security Update : freerdp (openSUSE-SU-2014:0862-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2580.NASL description According to the versions of the freerdp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An exploitable code execution vulnerability exists in the RDP receive functionality of FreeRDP 2.0.0-beta1+android11. A specially crafted server response can cause an out-of-bounds write resulting in an exploitable condition. An attacker can compromise the server or use a man in the middle to trigger this vulnerability.(CVE-2017-2835) - An exploitable denial of service vulnerability exists within the handling of challenge packets in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.(CVE-2017-2838) - An exploitable denial of service vulnerability exists within the handling of challenge packets in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.(CVE-2017-2839) - An exploitable denial of service vulnerability exists within the handling of security data in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.(CVE-2017-2837) - An exploitable denial of service vulnerability exists within the reading of proprietary server certificates in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.(CVE-2017-2836) - FreeRDP FreeRDP 2.0.0-rc3 released version before commit 205c612820dac644d665b5bb1cdf437dc5ca01e3 contains a Other/Unknown vulnerability in channels/drdynvc/client/drdynvc_main.c, drdynvc_process_capability_request that can result in The RDP server can read the client last seen 2020-05-08 modified 2019-12-19 plugin id 132297 published 2019-12-19 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132297 title EulerOS 2.0 SP3 : freerdp (EulerOS-SA-2019-2580) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2455.NASL description According to the versions of the freerdp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - FreeRDP before 1.1.0-beta+2013071101 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by disconnecting before authentication has finished.(CVE-2013-4119) - FreeRDP FreeRDP 2.0.0-rc3 released version before commit 205c612820dac644d665b5bb1cdf437dc5ca01e3 contains a Other/Unknown vulnerability in channels/drdynvc/client/drdynvc_main.c, drdynvc_process_capability_request that can result in The RDP server can read the client last seen 2020-05-08 modified 2019-12-04 plugin id 131609 published 2019-12-04 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131609 title EulerOS 2.0 SP2 : freerdp (EulerOS-SA-2019-2455) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201412-18.NASL description The remote host is affected by the vulnerability described in GLSA-201412-18 (FreeRDP: User-assisted execution of arbitrary code) FreeRDP does not properly validate user-supplied input, which could lead to an integer overflow in the xf_Pointer_New() function. Impact : A remote attacker could execute arbitrary code with the privileges of the process or cause Denial of Service. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 79971 published 2014-12-15 reporter This script is Copyright (C) 2014-2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/79971 title GLSA-201412-18 : FreeRDP: User-assisted execution of arbitrary code
References
- http://advisories.mageia.org/MGASA-2014-0287.html
- http://lists.opensuse.org/opensuse-updates/2014-07/msg00008.html
- http://seclists.org/oss-sec/2014/q2/365
- http://security.gentoo.org/glsa/glsa-201412-18.xml
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:171
- http://www.securityfocus.com/bid/67670
- https://bugzilla.redhat.com/show_bug.cgi?id=998934
- https://github.com/FreeRDP/FreeRDP/issues/1871
- https://github.com/FreeRDP/FreeRDP/pull/1874