Vulnerabilities > CVE-2017-2834 - Out-of-bounds Write vulnerability in multiple products
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
An exploitable code execution vulnerability exists in the authentication functionality of FreeRDP 2.0.0-beta1+android11. A specially crafted server response can cause an out-of-bounds write resulting in an exploitable condition. An attacker can compromise the server or use a man in the middle attack to trigger this vulnerability.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 | |
| OS | 2 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2017-ED31E1F941.NASL description Update to latest snapshot that contains fixes for the latest Talos discovered CVEs. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-08-09 plugin id 102277 published 2017-08-09 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102277 title Fedora 25 : 2:freerdp / remmina (2017-ed31e1f941) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2017-ed31e1f941. # include("compat.inc"); if (description) { script_id(102277); script_version("3.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2836", "CVE-2017-2837", "CVE-2017-2838", "CVE-2017-2839"); script_xref(name:"FEDORA", value:"2017-ed31e1f941"); script_name(english:"Fedora 25 : 2:freerdp / remmina (2017-ed31e1f941)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Update to latest snapshot that contains fixes for the latest Talos discovered CVEs. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-ed31e1f941" ); script_set_attribute( attribute:"solution", value:"Update the affected 2:freerdp and / or remmina packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:2:freerdp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:remmina"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/24"); script_set_attribute(attribute:"patch_publication_date", value:"2017/08/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/09"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC25", reference:"freerdp-2.0.0-31.20170724gitf8c9f43.fc25", epoch:"2")) flag++; if (rpm_check(release:"FC25", reference:"remmina-1.2.0-0.39.20170724git0387ee0.fc25")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "2:freerdp / remmina"); }NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3380-1.NASL description It was discovered that FreeRDP incorrectly handled certain width and height values. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS. (CVE-2014-0250) It was discovered that FreeRDP incorrectly handled certain values in a Scope List. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-0791) Tyler Bohan discovered that FreeRDP incorrectly handled certain length values. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2017-2834, CVE-2017-2835) Tyler Bohan discovered that FreeRDP incorrectly handled certain packets. A malicious server could possibly use this issue to cause FreeRDP to crash, resulting in a denial of service. (CVE-2017-2836, CVE-2017-2837, CVE-2017-2838, CVE-2017-2839). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 102260 published 2017-08-08 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102260 title Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : freerdp vulnerabilities (USN-3380-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-3380-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(102260); script_version("1.6"); script_cvs_date("Date: 2019/09/18 12:31:47"); script_cve_id("CVE-2014-0250", "CVE-2014-0791", "CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2836", "CVE-2017-2837", "CVE-2017-2838", "CVE-2017-2839"); script_xref(name:"USN", value:"3380-1"); script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : freerdp vulnerabilities (USN-3380-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "It was discovered that FreeRDP incorrectly handled certain width and height values. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS. (CVE-2014-0250) It was discovered that FreeRDP incorrectly handled certain values in a Scope List. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-0791) Tyler Bohan discovered that FreeRDP incorrectly handled certain length values. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2017-2834, CVE-2017-2835) Tyler Bohan discovered that FreeRDP incorrectly handled certain packets. A malicious server could possibly use this issue to cause FreeRDP to crash, resulting in a denial of service. (CVE-2017-2836, CVE-2017-2837, CVE-2017-2838, CVE-2017-2839). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/3380-1/" ); script_set_attribute( attribute:"solution", value: "Update the affected libfreerdp-client1.1 and / or libfreerdp1 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libfreerdp-client1.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libfreerdp1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:17.04"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/01/03"); script_set_attribute(attribute:"patch_publication_date", value:"2017/08/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/08"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(14\.04|16\.04|17\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 17.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"14.04", pkgname:"libfreerdp1", pkgver:"1.0.2-2ubuntu1.1")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"libfreerdp-client1.1", pkgver:"1.1.0~git20140921.1.440916e+dfsg1-5ubuntu1.2")) flag++; if (ubuntu_check(osver:"17.04", pkgname:"libfreerdp-client1.1", pkgver:"1.1.0~git20140921.1.440916e+dfsg1-10ubuntu1.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libfreerdp-client1.1 / libfreerdp1"); }NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-992.NASL description This update for freerdp fixes the following issues : - CVE-2017-2834: Out-of-bounds write in license_recv() (bsc#1050714) - CVE-2017-2835: Out-of-bounds write in rdp_recv_tpkt_pdu (bsc#1050712) - CVE-2017-2836: Rdp Client Read Server Proprietary Certificate Denial of Service (bsc#1050699) - CVE-2017-2837: Client GCC Read Server Security Data DoS (bsc#1050704) - CVE-2017-2838: Client License Read Product Info Denial of Service Vulnerability (bsc#1050708) - CVE-2017-2839: Client License Read Challenge Packet Denial of Service (bsc#1050711) This update was imported from the SUSE:SLE-12-SP2:Update update project. last seen 2020-06-05 modified 2017-09-05 plugin id 102945 published 2017-09-05 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102945 title openSUSE Security Update : freerdp (openSUSE-2017-992) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2017-992. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(102945); script_version("3.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2836", "CVE-2017-2837", "CVE-2017-2838", "CVE-2017-2839"); script_name(english:"openSUSE Security Update : freerdp (openSUSE-2017-992)"); script_summary(english:"Check for the openSUSE-2017-992 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for freerdp fixes the following issues : - CVE-2017-2834: Out-of-bounds write in license_recv() (bsc#1050714) - CVE-2017-2835: Out-of-bounds write in rdp_recv_tpkt_pdu (bsc#1050712) - CVE-2017-2836: Rdp Client Read Server Proprietary Certificate Denial of Service (bsc#1050699) - CVE-2017-2837: Client GCC Read Server Security Data DoS (bsc#1050704) - CVE-2017-2838: Client License Read Product Info Denial of Service Vulnerability (bsc#1050708) - CVE-2017-2839: Client License Read Challenge Packet Denial of Service (bsc#1050711) This update was imported from the SUSE:SLE-12-SP2:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050699" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050704" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050708" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050711" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050712" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050714" ); script_set_attribute( attribute:"solution", value:"Update the affected freerdp packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:freerdp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:freerdp-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:freerdp-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:freerdp-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreerdp2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreerdp2-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3"); script_set_attribute(attribute:"patch_publication_date", value:"2017/09/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.2|SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2 / 42.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.2", reference:"freerdp-2.0.0~git.1463131968.4e66df7-3.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"freerdp-debuginfo-2.0.0~git.1463131968.4e66df7-3.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"freerdp-debugsource-2.0.0~git.1463131968.4e66df7-3.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"freerdp-devel-2.0.0~git.1463131968.4e66df7-3.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libfreerdp2-2.0.0~git.1463131968.4e66df7-3.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libfreerdp2-debuginfo-2.0.0~git.1463131968.4e66df7-3.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"freerdp-2.0.0~git.1463131968.4e66df7-6.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"freerdp-debuginfo-2.0.0~git.1463131968.4e66df7-6.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"freerdp-debugsource-2.0.0~git.1463131968.4e66df7-6.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"freerdp-devel-2.0.0~git.1463131968.4e66df7-6.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libfreerdp2-2.0.0~git.1463131968.4e66df7-6.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libfreerdp2-debuginfo-2.0.0~git.1463131968.4e66df7-6.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "freerdp / freerdp-debuginfo / freerdp-debugsource / freerdp-devel / etc"); }NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-2234-1.NASL description This update for freerdp fixes the following issues : - CVE-2017-2834: Out-of-bounds write in license_recv() (bsc#1050714) - CVE-2017-2835: Out-of-bounds write in rdp_recv_tpkt_pdu (bsc#1050712) - CVE-2017-2836: Rdp Client Read Server Proprietary Certificate Denial of Service (bsc#1050699) - CVE-2017-2837: Client GCC Read Server Security Data DoS (bsc#1050704) - CVE-2017-2838: Client License Read Product Info Denial of Service Vulnerability (bsc#1050708) - CVE-2017-2839: Client License Read Challenge Packet Denial of Service (bsc#1050711) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 102693 published 2017-08-23 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102693 title SUSE SLED12 Security Update : freerdp (SUSE-SU-2017:2234-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2017:2234-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(102693); script_version("3.7"); script_cvs_date("Date: 2019/09/11 11:22:16"); script_cve_id("CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2836", "CVE-2017-2837", "CVE-2017-2838", "CVE-2017-2839"); script_name(english:"SUSE SLED12 Security Update : freerdp (SUSE-SU-2017:2234-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for freerdp fixes the following issues : - CVE-2017-2834: Out-of-bounds write in license_recv() (bsc#1050714) - CVE-2017-2835: Out-of-bounds write in rdp_recv_tpkt_pdu (bsc#1050712) - CVE-2017-2836: Rdp Client Read Server Proprietary Certificate Denial of Service (bsc#1050699) - CVE-2017-2837: Client GCC Read Server Security Data DoS (bsc#1050704) - CVE-2017-2838: Client License Read Product Info Denial of Service Vulnerability (bsc#1050708) - CVE-2017-2839: Client License Read Challenge Packet Denial of Service (bsc#1050711) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1050699" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1050704" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1050708" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1050711" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1050712" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1050714" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-2834/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-2835/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-2836/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-2837/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-2838/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-2839/" ); # https://www.suse.com/support/update/announcement/2017/suse-su-20172234-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?b3fae4aa" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Workstation Extension 12-SP3:zypper in -t patch SUSE-SLE-WE-12-SP3-2017-1365=1 SUSE Linux Enterprise Workstation Extension 12-SP2:zypper in -t patch SUSE-SLE-WE-12-SP2-2017-1365=1 SUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t patch SUSE-SLE-SDK-12-SP3-2017-1365=1 SUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t patch SUSE-SLE-SDK-12-SP2-2017-1365=1 SUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2017-1365=1 SUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2017-1365=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:freerdp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:freerdp-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:freerdp-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libfreerdp2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libfreerdp2-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/24"); script_set_attribute(attribute:"patch_publication_date", value:"2017/08/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/23"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); if (cpu >!< "x86_64") audit(AUDIT_ARCH_NOT, "x86_64", cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLED12" && (! preg(pattern:"^(2|3)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP2/3", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"freerdp-2.0.0~git.1463131968.4e66df7-12.3.2")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"freerdp-debuginfo-2.0.0~git.1463131968.4e66df7-12.3.2")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"freerdp-debugsource-2.0.0~git.1463131968.4e66df7-12.3.2")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"libfreerdp2-2.0.0~git.1463131968.4e66df7-12.3.2")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"libfreerdp2-debuginfo-2.0.0~git.1463131968.4e66df7-12.3.2")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"freerdp-2.0.0~git.1463131968.4e66df7-12.3.2")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"freerdp-debuginfo-2.0.0~git.1463131968.4e66df7-12.3.2")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"freerdp-debugsource-2.0.0~git.1463131968.4e66df7-12.3.2")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libfreerdp2-2.0.0~git.1463131968.4e66df7-12.3.2")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libfreerdp2-debuginfo-2.0.0~git.1463131968.4e66df7-12.3.2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "freerdp"); }NASL family Fedora Local Security Checks NASL id FEDORA_2017-4BC09C2364.NASL description Update to latest snapshot that contains fixes for the latest Talos discovered CVEs. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-08-01 plugin id 102088 published 2017-08-01 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102088 title Fedora 26 : 2:freerdp / remmina (2017-4bc09c2364) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3923.NASL description Tyler Bohan of Talos discovered that FreeRDP, a free implementation of the Remote Desktop Protocol (RDP), contained several vulnerabilities that allowed a malicious remote server or a man-in-the-middle to either cause a DoS by forcibly terminating the client, or execute arbitrary code on the client side. last seen 2020-06-01 modified 2020-06-02 plugin id 102097 published 2017-08-02 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102097 title Debian DSA-3923-1 : freerdp - security update
Seebug
| bulletinFamily | exploit |
| description | ### Summary An exploitable code execution vulnerability exists in the authentication functionality of FreeRDP 2.0.0-beta1+android11. A specially crafted server response can cause an out-of-bounds write resulting in an exploitable condition. An attacker can compromise the server or use a man in the middle attack to trigger this vulnerability. ### Tested Versions FreeRDP 2.0.0-beta1+android11 - Windows, OSX, Linux ### Product URLs http://www.freerdp.com/ ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H ### CWE CWE-129: Improper Validation of Array Index ### Details FreeRDP is a remote desktop protocol implementation available for all of the major operating systems. Many of the commercial remote desktop protocol applications actually use this library as their core. The vulnerability arises in using untrusted data in handling the license authentication with the server. ``` int license_recv(rdpLicense* license, wStream* s) { BYTE bMsgType; UINT16 length; UINT16 channelId; if (!rdp_read_header(license->rdp, s, &length, &channelId)) [1] { WLog_ERR(TAG, "Incorrect RDP header."); return -1; } ... if (securityFlags & SEC_ENCRYPT) { if (!rdp_decrypt(license->rdp, s, length - 4, securityFlags)) [2] ``` At [1], the RDP header is read in and a local variable, length, is assigned a value directly from the attacker controlled packet. The value of length is then subtracted from four, [2], and passed into a decryption function. If the attacker supplies a value less than four a negative value will be passed into decrypt. The attacker controlled length value goes through multiple functions and ends up passed in directly to the OpenSSL RC4 function call. This causes the program to write attacker influence data out of bounds causing a potentially exploitable condition to arise. A hexdump of the attacker controlled packet is below with the bytes pertaining to the length marked. ``` 00000000 03 00 01 51 02 f0 80 68 00 01 03 eb 70 [03] 08 00 |...Q...h....p...| <------- 00000010 00 3e 01 01 02 3e 01 7b 3c 31 a6 ae e8 74 f6 b4 |.>...>.{<1...t..| 00000020 a5 03 90 e7 c2 c7 39 ba 53 1c 30 54 6e 90 05 d0 |......9.S.0Tn...| 00000030 05 ce 44 18 91 83 81 00 00 04 00 2c 00 00 00 4d |..D........,...M| 00000040 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 |.i.c.r.o.s.o.f.t| 00000050 00 20 00 43 00 6f 00 72 00 70 00 6f 00 72 00 61 |. .C.o.r.p.o.r.a| 00000060 00 74 00 69 00 6f 00 6e 00 00 00 08 00 00 00 32 |.t.i.o.n.......2| 00000070 00 33 00 36 00 00 00 0d 00 04 00 01 00 00 00 03 |.3.6............| 00000080 00 b8 00 01 00 00 00 01 00 00 00 01 00 00 00 06 |................| 00000090 00 5c 00 52 53 41 31 48 00 00 00 00 02 00 00 3f |.\.RSA1H.......?| 000000a0 00 00 00 01 00 01 00 01 c7 c9 f7 8e 5a 38 e4 29 |............Z8.)| 000000b0 c3 00 95 2d dd 4c 3e 50 45 0b 0d 9e 2a 5d 18 63 |...-.L>PE...*].c| 000000c0 64 c4 2c f7 8f 29 d5 3f c5 35 22 34 ff ad 3a e6 |d.,..).?.5"4..:.| 000000d0 e3 95 06 ae 55 82 e3 c8 c7 b4 a8 47 c8 50 71 74 |....U......G.Pqt| 000000e0 29 53 89 6d 9c ed 70 00 00 00 00 00 00 00 00 08 |)S.m..p.........| 000000f0 00 48 00 a8 f4 31 b9 ab 4b e6 b4 f4 39 89 d6 b1 |.H...1..K...9...| 00000100 da f6 1e ec b1 f0 54 3b 5e 3e 6a 71 b4 f7 75 c8 |......T;^>jq..u.| ``` ### Crash Information ``` % ./exc_handler FreeRDP-master/client/Mac/cli/MacFreeRDP.app/Contents/MacOS/MacFreeRDP /v:127.0.0.1:3377 2017-05-09 15:41:35.334 MacFreeRDP[17761:133607] void * _Nullable NSMapGet(NSMapTable * _Nonnull, const void * _Nullable): map table argument is NULL [15:41:35:626] [17761:00429000] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Broken pipe MacFreeRDP(17761,0x7fff76107000) malloc: *** error for object 0x7ff62300ac08: incorrect checksum for freed object - object was probably modified after being freed. *** set a breakpoint in malloc_error_break to debug Crashed thread log = : Dispatch queue: com.apple.main-thread 0 libsystem_kernel.dylib 0x00007fff91f718ea __kill + 10 1 libfreerdp2.2.dylib 0x000000010eac3e75 fatal_handler + 229 2 libsystem_platform.dylib 0x00007fff88e0b52a _sigtramp + 26 3 ??? 0x00007ff621801000 0 + 140695100723200 4 libsystem_c.dylib 0x00007fff933af6df abort + 129 5 libsystem_malloc.dylib 0x00007fff915db396 szone_error + 626 6 libsystem_malloc.dylib 0x00007fff915d1373 small_free_list_remove_ptr + 152 7 libsystem_malloc.dylib 0x00007fff915cfa7c szone_free_definite_size + 1790 8 com.apple.CoreGraphics 0x00007fff8d9ed3e0 region_finalize + 44 9 com.apple.CoreFoundation 0x00007fff85729af3 CFRelease + 371 10 com.apple.CoreGraphics 0x00007fff8d9ed3af CGSReleaseRegion + 9 11 com.apple.AppKit 0x00007fff8c92ea01 -[NSRegion dealloc] + 33 12 com.apple.AppKit 0x00007fff8c99c4e1 -[_NSDisplayOperation dealloc] + 121 13 com.apple.CoreFoundation 0x00007fff857a8b72 -[__NSArrayM removeObjectAtIndex:] + 290 14 com.apple.AppKit 0x00007fff8c99c3a8 -[_NSDisplayOperationStack exitDisplayOperationForWindow:] + 449 15 com.apple.AppKit 0x00007fff8c99d792 -[NSView _displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:] + 4408 16 com.apple.AppKit 0x00007fff8c9983f5 -[NSView displayIfNeeded] + 1950 17 com.apple.AppKit 0x00007fff8c997c3c -[NSWindow displayIfNeeded] + 232 18 com.apple.AppKit 0x00007fff8d01c41b ___NSWindowGetDisplayCycleObserver_block_invoke6365 + 476 19 com.apple.AppKit 0x00007fff8c9975d6 __37+[NSDisplayCycle currentDisplayCycle]_block_invoke + 941 20 com.apple.QuartzCore 0x00007fff8374af71 CA::Transaction::run_commit_handlers(CATransactionPhase) + 85 21 com.apple.QuartzCore 0x00007fff8374a42c CA::Context::commit_transaction(CA::Transaction*) + 160 22 com.apple.QuartzCore 0x00007fff8374a0ec CA::Transaction::commit() + 508 23 com.apple.QuartzCore 0x00007fff83755977 CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned long, void*) + 71 24 com.apple.CoreFoundation 0x00007fff857c5067 __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23 25 com.apple.CoreFoundation 0x00007fff857c4fd7 __CFRunLoopDoObservers + 391 26 com.apple.CoreFoundation 0x00007fff857a3ef8 CFRunLoopRunSpecific + 328 27 com.apple.HIToolbox 0x00007fff8bc5c935 RunCurrentEventLoopInMode + 235 28 com.apple.HIToolbox 0x00007fff8bc5c677 ReceiveNextEventCommon + 184 29 com.apple.HIToolbox 0x00007fff8bc5c5af _BlockUntilNextEventMatchingListInModeWithFilter + 71 30 com.apple.AppKit 0x00007fff8c83fdf6 _DPSNextEvent + 1067 31 com.apple.AppKit 0x00007fff8c83f226 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454 32 com.apple.AppKit 0x00007fff8c833d80 -[NSApplication run] + 682 33 com.apple.AppKit 0x00007fff8c7fd368 NSApplicationMain + 1176 34 libdyld.dylib 0x00007fff836995ad start + 1 log name is: ./crashlogs/crashlog.txt --- exception=EXC_CRASH:signal=6:is_exploitable=yes:instruction_disassembly=jae CONSTANT:instruction_address=0x00007fff91f718ea:access_type=:access_address=0x0000000000000000: The crash is suspected to be an exploitable issue due to the suspicious function in the stack trace of the crashing thread: ' szone_error ' ``` ### Exploit Proof-of-Concept Run included Python server and connect FreeRDP Client to it. ### Timeline * 2017-05-24 - Vendor Disclosure * 2017-07-24 - Public Release ### CREDIT * Discovered by Tyler Bohan of Cisco Talos. |
| id | SSV:96457 |
| last seen | 2017-11-19 |
| modified | 2017-09-13 |
| published | 2017-09-13 |
| reporter | Root |
| title | FreeRDP Rdp Client License Recv Code Execution Vulnerability(CVE-2017-2834) |
Talos
| id | TALOS-2017-0336 |
| last seen | 2019-05-29 |
| published | 2017-07-24 |
| reporter | Talos Intelligence |
| source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0336 |
| title | FreeRDP Rdp Client License Recv Code Execution Vulnerability |