Vulnerabilities > CVE-2017-2835 - Out-of-bounds Write vulnerability in multiple products
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
An exploitable code execution vulnerability exists in the RDP receive functionality of FreeRDP 2.0.0-beta1+android11. A specially crafted server response can cause an out-of-bounds write resulting in an exploitable condition. An attacker can compromise the server or use a man in the middle to trigger this vulnerability.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 | |
| OS | 2 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2017-ED31E1F941.NASL description Update to latest snapshot that contains fixes for the latest Talos discovered CVEs. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-08-09 plugin id 102277 published 2017-08-09 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102277 title Fedora 25 : 2:freerdp / remmina (2017-ed31e1f941) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2017-ed31e1f941. # include("compat.inc"); if (description) { script_id(102277); script_version("3.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2836", "CVE-2017-2837", "CVE-2017-2838", "CVE-2017-2839"); script_xref(name:"FEDORA", value:"2017-ed31e1f941"); script_name(english:"Fedora 25 : 2:freerdp / remmina (2017-ed31e1f941)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Update to latest snapshot that contains fixes for the latest Talos discovered CVEs. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-ed31e1f941" ); script_set_attribute( attribute:"solution", value:"Update the affected 2:freerdp and / or remmina packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:2:freerdp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:remmina"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/24"); script_set_attribute(attribute:"patch_publication_date", value:"2017/08/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/09"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC25", reference:"freerdp-2.0.0-31.20170724gitf8c9f43.fc25", epoch:"2")) flag++; if (rpm_check(release:"FC25", reference:"remmina-1.2.0-0.39.20170724git0387ee0.fc25")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "2:freerdp / remmina"); }NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3380-1.NASL description It was discovered that FreeRDP incorrectly handled certain width and height values. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS. (CVE-2014-0250) It was discovered that FreeRDP incorrectly handled certain values in a Scope List. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-0791) Tyler Bohan discovered that FreeRDP incorrectly handled certain length values. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2017-2834, CVE-2017-2835) Tyler Bohan discovered that FreeRDP incorrectly handled certain packets. A malicious server could possibly use this issue to cause FreeRDP to crash, resulting in a denial of service. (CVE-2017-2836, CVE-2017-2837, CVE-2017-2838, CVE-2017-2839). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 102260 published 2017-08-08 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102260 title Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : freerdp vulnerabilities (USN-3380-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-3380-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(102260); script_version("1.6"); script_cvs_date("Date: 2019/09/18 12:31:47"); script_cve_id("CVE-2014-0250", "CVE-2014-0791", "CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2836", "CVE-2017-2837", "CVE-2017-2838", "CVE-2017-2839"); script_xref(name:"USN", value:"3380-1"); script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : freerdp vulnerabilities (USN-3380-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "It was discovered that FreeRDP incorrectly handled certain width and height values. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS. (CVE-2014-0250) It was discovered that FreeRDP incorrectly handled certain values in a Scope List. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-0791) Tyler Bohan discovered that FreeRDP incorrectly handled certain length values. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2017-2834, CVE-2017-2835) Tyler Bohan discovered that FreeRDP incorrectly handled certain packets. A malicious server could possibly use this issue to cause FreeRDP to crash, resulting in a denial of service. (CVE-2017-2836, CVE-2017-2837, CVE-2017-2838, CVE-2017-2839). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/3380-1/" ); script_set_attribute( attribute:"solution", value: "Update the affected libfreerdp-client1.1 and / or libfreerdp1 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libfreerdp-client1.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libfreerdp1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:17.04"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/01/03"); script_set_attribute(attribute:"patch_publication_date", value:"2017/08/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/08"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(14\.04|16\.04|17\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 17.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"14.04", pkgname:"libfreerdp1", pkgver:"1.0.2-2ubuntu1.1")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"libfreerdp-client1.1", pkgver:"1.1.0~git20140921.1.440916e+dfsg1-5ubuntu1.2")) flag++; if (ubuntu_check(osver:"17.04", pkgname:"libfreerdp-client1.1", pkgver:"1.1.0~git20140921.1.440916e+dfsg1-10ubuntu1.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libfreerdp-client1.1 / libfreerdp1"); }NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-992.NASL description This update for freerdp fixes the following issues : - CVE-2017-2834: Out-of-bounds write in license_recv() (bsc#1050714) - CVE-2017-2835: Out-of-bounds write in rdp_recv_tpkt_pdu (bsc#1050712) - CVE-2017-2836: Rdp Client Read Server Proprietary Certificate Denial of Service (bsc#1050699) - CVE-2017-2837: Client GCC Read Server Security Data DoS (bsc#1050704) - CVE-2017-2838: Client License Read Product Info Denial of Service Vulnerability (bsc#1050708) - CVE-2017-2839: Client License Read Challenge Packet Denial of Service (bsc#1050711) This update was imported from the SUSE:SLE-12-SP2:Update update project. last seen 2020-06-05 modified 2017-09-05 plugin id 102945 published 2017-09-05 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102945 title openSUSE Security Update : freerdp (openSUSE-2017-992) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2017-992. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(102945); script_version("3.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2836", "CVE-2017-2837", "CVE-2017-2838", "CVE-2017-2839"); script_name(english:"openSUSE Security Update : freerdp (openSUSE-2017-992)"); script_summary(english:"Check for the openSUSE-2017-992 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for freerdp fixes the following issues : - CVE-2017-2834: Out-of-bounds write in license_recv() (bsc#1050714) - CVE-2017-2835: Out-of-bounds write in rdp_recv_tpkt_pdu (bsc#1050712) - CVE-2017-2836: Rdp Client Read Server Proprietary Certificate Denial of Service (bsc#1050699) - CVE-2017-2837: Client GCC Read Server Security Data DoS (bsc#1050704) - CVE-2017-2838: Client License Read Product Info Denial of Service Vulnerability (bsc#1050708) - CVE-2017-2839: Client License Read Challenge Packet Denial of Service (bsc#1050711) This update was imported from the SUSE:SLE-12-SP2:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050699" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050704" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050708" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050711" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050712" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050714" ); script_set_attribute( attribute:"solution", value:"Update the affected freerdp packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:freerdp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:freerdp-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:freerdp-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:freerdp-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreerdp2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreerdp2-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3"); script_set_attribute(attribute:"patch_publication_date", value:"2017/09/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.2|SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2 / 42.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.2", reference:"freerdp-2.0.0~git.1463131968.4e66df7-3.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"freerdp-debuginfo-2.0.0~git.1463131968.4e66df7-3.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"freerdp-debugsource-2.0.0~git.1463131968.4e66df7-3.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"freerdp-devel-2.0.0~git.1463131968.4e66df7-3.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libfreerdp2-2.0.0~git.1463131968.4e66df7-3.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libfreerdp2-debuginfo-2.0.0~git.1463131968.4e66df7-3.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"freerdp-2.0.0~git.1463131968.4e66df7-6.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"freerdp-debuginfo-2.0.0~git.1463131968.4e66df7-6.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"freerdp-debugsource-2.0.0~git.1463131968.4e66df7-6.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"freerdp-devel-2.0.0~git.1463131968.4e66df7-6.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libfreerdp2-2.0.0~git.1463131968.4e66df7-6.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libfreerdp2-debuginfo-2.0.0~git.1463131968.4e66df7-6.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "freerdp / freerdp-debuginfo / freerdp-debugsource / freerdp-devel / etc"); }NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2580.NASL description According to the versions of the freerdp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An exploitable code execution vulnerability exists in the RDP receive functionality of FreeRDP 2.0.0-beta1+android11. A specially crafted server response can cause an out-of-bounds write resulting in an exploitable condition. An attacker can compromise the server or use a man in the middle to trigger this vulnerability.(CVE-2017-2835) - An exploitable denial of service vulnerability exists within the handling of challenge packets in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.(CVE-2017-2838) - An exploitable denial of service vulnerability exists within the handling of challenge packets in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.(CVE-2017-2839) - An exploitable denial of service vulnerability exists within the handling of security data in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.(CVE-2017-2837) - An exploitable denial of service vulnerability exists within the reading of proprietary server certificates in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.(CVE-2017-2836) - FreeRDP FreeRDP 2.0.0-rc3 released version before commit 205c612820dac644d665b5bb1cdf437dc5ca01e3 contains a Other/Unknown vulnerability in channels/drdynvc/client/drdynvc_main.c, drdynvc_process_capability_request that can result in The RDP server can read the client last seen 2020-05-08 modified 2019-12-19 plugin id 132297 published 2019-12-19 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132297 title EulerOS 2.0 SP3 : freerdp (EulerOS-SA-2019-2580) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-2234-1.NASL description This update for freerdp fixes the following issues : - CVE-2017-2834: Out-of-bounds write in license_recv() (bsc#1050714) - CVE-2017-2835: Out-of-bounds write in rdp_recv_tpkt_pdu (bsc#1050712) - CVE-2017-2836: Rdp Client Read Server Proprietary Certificate Denial of Service (bsc#1050699) - CVE-2017-2837: Client GCC Read Server Security Data DoS (bsc#1050704) - CVE-2017-2838: Client License Read Product Info Denial of Service Vulnerability (bsc#1050708) - CVE-2017-2839: Client License Read Challenge Packet Denial of Service (bsc#1050711) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 102693 published 2017-08-23 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102693 title SUSE SLED12 Security Update : freerdp (SUSE-SU-2017:2234-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2455.NASL description According to the versions of the freerdp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - FreeRDP before 1.1.0-beta+2013071101 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by disconnecting before authentication has finished.(CVE-2013-4119) - FreeRDP FreeRDP 2.0.0-rc3 released version before commit 205c612820dac644d665b5bb1cdf437dc5ca01e3 contains a Other/Unknown vulnerability in channels/drdynvc/client/drdynvc_main.c, drdynvc_process_capability_request that can result in The RDP server can read the client last seen 2020-05-08 modified 2019-12-04 plugin id 131609 published 2019-12-04 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131609 title EulerOS 2.0 SP2 : freerdp (EulerOS-SA-2019-2455) NASL family Fedora Local Security Checks NASL id FEDORA_2017-4BC09C2364.NASL description Update to latest snapshot that contains fixes for the latest Talos discovered CVEs. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-08-01 plugin id 102088 published 2017-08-01 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102088 title Fedora 26 : 2:freerdp / remmina (2017-4bc09c2364) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1095.NASL description Tyler Bohan of Talos discovered that FreeRDP, a free implementation of the Remote Desktop Protocol (RDP), contained several vulnerabilities that allowed a malicious remote server or a man-in-the-middle to either cause a DoS by forcibly terminating the client, or execute arbitrary code on the client side. For Debian 7 last seen 2020-03-17 modified 2017-09-11 plugin id 103095 published 2017-09-11 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103095 title Debian DLA-1095-1 : freerdp security update NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3923.NASL description Tyler Bohan of Talos discovered that FreeRDP, a free implementation of the Remote Desktop Protocol (RDP), contained several vulnerabilities that allowed a malicious remote server or a man-in-the-middle to either cause a DoS by forcibly terminating the client, or execute arbitrary code on the client side. last seen 2020-06-01 modified 2020-06-02 plugin id 102097 published 2017-08-02 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102097 title Debian DSA-3923-1 : freerdp - security update
Seebug
| bulletinFamily | exploit |
| description | ### Summary An exploitable code execution vulnerability exists in the RDP receive functionality of FreeRDP 2.0.0-beta1+android11. A specially crafted server response can cause an out-of-bounds write resulting in an exploitable condition. An attacker can compromise the server or use a man in the middle to trigger this vulnerability. ### Tested Versions FreeRDP 2.0.0-beta1+android11 - Windows, OSX, Linux ### Product URLs http://www.freerdp.com/ ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H ### CWE CWE-129: Improper Validation of Array Index ### Details FreeRDP is a remote desktop protocol implementation available for all of the major operating systems. Many of the commercial remote desktop protocol applications actually use this library as their core. The vulnerability arises in using untrusted data in handling the reception of a RDP packet with the server. ``` static int rdp_recv_tpkt_pdu(rdpRdp* rdp, wStream* s) { UINT16 length; UINT16 pduType; UINT16 pduLength; UINT16 pduSource; UINT16 channelId = 0; UINT16 securityFlags = 0; int nextPosition; if (!rdp_read_header(rdp, s, &length, &channelId)) [1] { ... if (rdp->settings->UseRdpSecurityLayer) { if (!rdp_read_security_header(s, &securityFlags)) [2] { ... if (securityFlags & (SEC_ENCRYPT | SEC_REDIRECTION_PKT)) { if (!rdp_decrypt(rdp, s, length - 4, securityFlags)) [3] { ``` At [1], the RDP header is read in and a local variable, length, is assigned a value directly from the attacker controlled packet. Another value, [2], is read in from the packet to determine if encryption is set on this packet. This check is simply anding a value in the packet with a constant and is easily passed. The value of length is then subtracted from four, [3], and passed into a decryption function. If the attacker supplies a value less than four a negative value will be passed into decrypt. The attacker controlled length value goes through multiple functions and ends up passed in directly to the OpenSSL RC4 function call. This causes the program to write attacker influence data out of bounds causing a potentially exploitable condition to arise. A hexdump of the attacker controlled packet is below with the bytes pertaining to the length marked. ``` 00000000 03 00 00 28 02 f0 80 68 00 01 03 eb 70 [03] 08 04 |...(...h....p...| <------- 00000010 00 00 16 00 17 00 ea 03 ea 03 01 00 00 01 08 00 |................| 00000020 1f 00 00 00 01 00 ea 03 03 00 00 2c 02 f0 80 68 |...........,...h| 00000030 00 01 03 eb 70 1e 00 00 00 00 1a 00 17 00 ea 03 |....p...........| 00000040 ea 03 01 00 00 01 0c 00 14 00 00 00 04 00 00 00 |................| 00000050 ea 03 00 00 03 00 00 2c 02 f0 80 68 00 01 03 eb |.......,...h....| 00000060 70 1e 00 00 00 00 1a 00 17 00 ea 03 ea 03 01 00 |p...............| 00000070 00 01 0c 00 14 00 00 00 02 00 00 00 ea 03 00 00 |................| 00000080 03 00 00 d1 02 f0 80 68 00 01 03 eb 70 80 c2 00 |.......h....p...| 00000090 00 00 00 be 00 17 00 ea 03 ea 03 01 00 00 01 b0 |................| ``` ### Crash Information ``` Crashed thread log = : Dispatch queue: com.apple.main-thread 0 libgmalloc.dylib 0x00000001037ef54a GuardMalloc_mallocInternal + 1136 1 libgmalloc.dylib 0x00000001037eee70 GuardMalloc_calloc + 81 2 libsystem_malloc.dylib 0x00007fff94c2b9a6 malloc_zone_calloc + 78 3 libsystem_malloc.dylib 0x00007fff94c2c462 calloc + 49 4 libobjc.A.dylib 0x00007fff9988a330 allocateBuckets(unsigned int) + 30 5 libobjc.A.dylib 0x00007fff9987fc53 cache_t::reallocate(unsigned int, unsigned int) + 43 6 libobjc.A.dylib 0x00007fff9987f693 cache_fill + 177 7 libobjc.A.dylib 0x00007fff9987edfc lookUpImpOrForward + 423 8 libobjc.A.dylib 0x00007fff99879591 objc_msgSend + 209 9 com.apple.AppKit 0x00007fff8ffa8a52 -[NSCell dealloc] + 364 10 com.apple.AppKit 0x00007fff8ffa88cd -[NSActionCell dealloc] + 116 11 com.apple.AppKit 0x00007fff8ffa8dfd -[NSButtonCell dealloc] + 395 12 com.apple.AppKit 0x00007fff8ffa85b9 -[NSControl dealloc] + 83 13 com.apple.AppKit 0x00007fff9018d510 -[NSAlert dealloc] + 104 14 com.apple.CoreFoundation 0x00007fff88dab5a8 -[__NSArrayI dealloc] + 120 15 libobjc.A.dylib 0x00007fff9987eb3b (anonymous namespace)::AutoreleasePoolPage::pop(void*) + 477 16 com.apple.CoreFoundation 0x00007fff88dbec12 _CFAutoreleasePoolPop + 50 17 com.apple.Foundation 0x00007fff887659ea -[NSAutoreleasePool drain] + 153 18 com.apple.Foundation 0x00007fff887a25ba _NSAppleEventManagerGenericHandler + 121 19 com.apple.AE 0x00007fff87c47261 aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) + 531 20 com.apple.AE 0x00007fff87c46fe8 dispatchEventAndSendReply(AEDesc const*, AEDesc*) + 31 21 com.apple.AE 0x00007fff87c46f04 aeProcessAppleEvent + 288 22 com.apple.HIToolbox 0x00007fff8f2c7af9 AEProcessAppleEvent + 55 23 com.apple.AppKit 0x00007fff8fe9b290 _DPSNextEvent + 2245 24 com.apple.AppKit 0x00007fff8fe9a226 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454 25 com.apple.AppKit 0x00007fff8fe8ed80 -[NSApplication run] + 682 26 com.apple.AppKit 0x00007fff8fe58368 NSApplicationMain + 1176 27 libdyld.dylib 0x00007fff86cf45ad start + 1 log name is: ./crashlogs/1.crashlog.txt --- exception=EXC_CRASH:signal=11:is_exploitable=yes:instruction_disassembly=movq %rax,CONSTANT(%rdi,%rsi):instruction_address=0x00000001037ef54a:access_type=:access_address=0x0000000000000000: The crash is suspected to be an exploitable issue due to the suspicious function in the stack trace of the crashing thread: ' calloc ' ``` ### Exploit Proof-of-Concept Run included Python server and connect FreeRDP Client to it. ### Timeline * 2017-05-24 - Vendor Disclosure * 2017-07-24 - Public Release ### CREDIT * Discovered by Tyler Bohan of Cisco Talos. |
| id | SSV:96456 |
| last seen | 2017-11-19 |
| modified | 2017-09-13 |
| published | 2017-09-13 |
| reporter | Root |
| title | FreeRDP Rdp Client Recv RDP Code Execution Vulnerability(CVE-2017-2835) |
Talos
| id | TALOS-2017-0337 |
| last seen | 2019-05-29 |
| published | 2017-07-24 |
| reporter | Talos Intelligence |
| source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0337 |
| title | FreeRDP Rdp Client Recv RDP Code Execution Vulnerability |