Vulnerabilities > CVE-2014-0791 - Numeric Errors vulnerability in Freerdp 1.0.0/1.0.1/1.0.2

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

Integer overflow in the license_read_scope_list function in libfreerdp/core/license.c in FreeRDP through 1.0.2 allows remote RDP servers to cause a denial of service (application crash) or possibly have unspecified other impact via a large ScopeCount value in a Scope List in a Server License Request packet.

Vulnerable Configurations

Part Description Count
Application
Freerdp
3

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2147.NASL
    descriptionAccording to the versions of the freerdp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Multiple integer overflows in client/X11/xf_graphics.c in FreeRDP allow remote attackers to have an unspecified impact via the width and height to the (1) xf_Pointer_New or (2) xf_Bitmap_Decompress function, which causes an incorrect amount of memory to be allocated.(CVE-2014-0250) - Integer overflow in the license_read_scope_list function in libfreerdp/core/license.c in FreeRDP through 1.0.2 allows remote RDP servers to cause a denial of service (application crash) or possibly have unspecified other impact via a large ScopeCount value in a Scope List in a Server License Request packet.(CVE-2014-0791) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-11-12
    plugin id130856
    published2019-11-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130856
    titleEulerOS 2.0 SP5 : freerdp (EulerOS-SA-2019-2147)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(130856);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2014-0250",
        "CVE-2014-0791"
      );
      script_bugtraq_id(
        64689,
        67670
      );
    
      script_name(english:"EulerOS 2.0 SP5 : freerdp (EulerOS-SA-2019-2147)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the freerdp packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - Multiple integer overflows in client/X11/xf_graphics.c
        in FreeRDP allow remote attackers to have an
        unspecified impact via the width and height to the (1)
        xf_Pointer_New or (2) xf_Bitmap_Decompress function,
        which causes an incorrect amount of memory to be
        allocated.(CVE-2014-0250)
    
      - Integer overflow in the license_read_scope_list
        function in libfreerdp/core/license.c in FreeRDP
        through 1.0.2 allows remote RDP servers to cause a
        denial of service (application crash) or possibly have
        unspecified other impact via a large ScopeCount value
        in a Scope List in a Server License Request
        packet.(CVE-2014-0791)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2147
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a4d96d55");
      script_set_attribute(attribute:"solution", value:
    "Update the affected freerdp packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/12");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:freerdp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:freerdp-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:freerdp-plugins");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["freerdp-1.0.2-15.h3.eulerosv2r7",
            "freerdp-libs-1.0.2-15.h3.eulerosv2r7",
            "freerdp-plugins-1.0.2-15.h3.eulerosv2r7"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "freerdp");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-2506-1.NASL
    descriptionThis update for freerdp fixes the following issues : - CVE-2013-4118: Added a NULL pointer check to fix a server crash (bsc#829013). - CVE-2014-0791: Integer overflow in the license_read_scope_list function in libfreerdp/core/license.c in FreeRDP allowed remote RDP servers to cause a denial of service (application crash) or possibly have unspecified other impact via a large ScopeCount value in a Scope List in a Server License Request packet. (bsc#857491) - CVE-2014-0250: Multiple integer overflows in client/X11/xf_graphics.c in FreeRDP allowed remote attackers to have an unspecified impact via the width and height to the (1) xf_Pointer_New or (2) xf_Bitmap_Decompress function, which causes an incorrect amount of memory to be allocated. (bsc#880317) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id94037
    published2016-10-13
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94037
    titleSUSE SLED12 Security Update : freerdp (SUSE-SU-2016:2506-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3380-1.NASL
    descriptionIt was discovered that FreeRDP incorrectly handled certain width and height values. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS. (CVE-2014-0250) It was discovered that FreeRDP incorrectly handled certain values in a Scope List. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-0791) Tyler Bohan discovered that FreeRDP incorrectly handled certain length values. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2017-2834, CVE-2017-2835) Tyler Bohan discovered that FreeRDP incorrectly handled certain packets. A malicious server could possibly use this issue to cause FreeRDP to crash, resulting in a denial of service. (CVE-2017-2836, CVE-2017-2837, CVE-2017-2838, CVE-2017-2839). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102260
    published2017-08-08
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102260
    titleUbuntu 14.04 LTS / 16.04 LTS / 17.04 : freerdp vulnerabilities (USN-3380-1)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2015-171.NASL
    descriptionUpdated freerdp packages fix security vulnerabilities : Integer overflows in memory allocations in client/X11/xf_graphics.c in FreeRDP through 1.0.2 allows remote RDP servers to have an unspecified impact through unspecified vectors (CVE-2014-0250). Integer overflow in the license_read_scope_list function in libfreerdp/core/license.c in FreeRDP through 1.0.2 allows remote RDP servers to cause a denial of service (application crash) or possibly have unspecified other impact via a large ScopeCount value in a Scope List in a Server License Request packet (CVE-2014-0791).
    last seen2020-06-01
    modified2020-06-02
    plugin id82447
    published2015-03-31
    reporterThis script is Copyright (C) 2015-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82447
    titleMandriva Linux Security Advisory : freerdp (MDVSA-2015:171)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2014-452.NASL
    descriptionfreerdp was patched to fix several integer overflows. These security issues were fixed : - Integer overflow (CVE-2014-0791) - Integer overflows in memory allocations in client/X11/xf_graphics.c (CVE-2014-0250)
    last seen2020-06-05
    modified2014-07-02
    plugin id76343
    published2014-07-02
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/76343
    titleopenSUSE Security Update : freerdp (openSUSE-SU-2014:0862-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-1131.NASL
    descriptionThis update for freerdp fixes the following issues : Security issues fixed : - CVE-2013-4118: Add a NULL pointer check to fix a server crash (boo#829013). - CVE-2014-0791: The remaining length in the stream is checked before doing some malloc(), which could have lead to crashes. (boo#857491).
    last seen2020-06-05
    modified2016-09-28
    plugin id93757
    published2016-09-28
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/93757
    titleopenSUSE Security Update : freerdp (openSUSE-2016-1131)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2580.NASL
    descriptionAccording to the versions of the freerdp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An exploitable code execution vulnerability exists in the RDP receive functionality of FreeRDP 2.0.0-beta1+android11. A specially crafted server response can cause an out-of-bounds write resulting in an exploitable condition. An attacker can compromise the server or use a man in the middle to trigger this vulnerability.(CVE-2017-2835) - An exploitable denial of service vulnerability exists within the handling of challenge packets in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.(CVE-2017-2838) - An exploitable denial of service vulnerability exists within the handling of challenge packets in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.(CVE-2017-2839) - An exploitable denial of service vulnerability exists within the handling of security data in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.(CVE-2017-2837) - An exploitable denial of service vulnerability exists within the reading of proprietary server certificates in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.(CVE-2017-2836) - FreeRDP FreeRDP 2.0.0-rc3 released version before commit 205c612820dac644d665b5bb1cdf437dc5ca01e3 contains a Other/Unknown vulnerability in channels/drdynvc/client/drdynvc_main.c, drdynvc_process_capability_request that can result in The RDP server can read the client
    last seen2020-05-08
    modified2019-12-19
    plugin id132297
    published2019-12-19
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132297
    titleEulerOS 2.0 SP3 : freerdp (EulerOS-SA-2019-2580)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2455.NASL
    descriptionAccording to the versions of the freerdp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - FreeRDP before 1.1.0-beta+2013071101 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by disconnecting before authentication has finished.(CVE-2013-4119) - FreeRDP FreeRDP 2.0.0-rc3 released version before commit 205c612820dac644d665b5bb1cdf437dc5ca01e3 contains a Other/Unknown vulnerability in channels/drdynvc/client/drdynvc_main.c, drdynvc_process_capability_request that can result in The RDP server can read the client
    last seen2020-05-08
    modified2019-12-04
    plugin id131609
    published2019-12-04
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131609
    titleEulerOS 2.0 SP2 : freerdp (EulerOS-SA-2019-2455)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-1132.NASL
    descriptionThis update for freerdp fixes the following issues : Security issues fixed : - CVE-2013-4118: Add a NULL pointer check to fix a server crash (boo#829013). - CVE-2014-0791: The remaining length in the stream is checked before doing some malloc(), which could have lead to crashes. (boo#857491).
    last seen2020-06-05
    modified2016-09-28
    plugin id93758
    published2016-09-28
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/93758
    titleopenSUSE Security Update : freerdp (openSUSE-2016-1132)

Seebug

bulletinFamilyexploit
descriptionCVE ID:CVE-2014-0791 FreeRDP是一款远程桌面协议的实现。 FreeRDP license_read_scope_list函数(libfreerdp/core/license.c)存在整数溢出错误,允许远程攻击者提交特制的服务器许可证请求报文(Scope列表中包含超大ScopeCount值),使远程RDP服务器崩溃,造成拒绝服务攻击。 0 FreeRDP 1.0.2 厂商补丁: FreeRDP ----- 用户可参考如下厂商提供的安全公告获得补丁信息: https://github.com/sidhpurwala-huzaifa/FreeRDP/commit/e2745807c4c3e0a590c0f69a9b655dc74ebaa03e
idSSV:61293
last seen2017-11-19
modified2014-01-07
published2014-01-07
reporterRoot
titleFreeRDP license_read_scope_list函数整数溢出漏洞