Vulnerabilities > CVE-2017-2836 - Improper Certificate Validation vulnerability in multiple products

047910
CVSS 5.9 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
high complexity
freerdp
debian
CWE-295
nessus

Summary

An exploitable denial of service vulnerability exists within the reading of proprietary server certificates in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.

Vulnerable Configurations

Part Description Count
Application
Freerdp
1
OS
Debian
2

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Creating a Rogue Certificate Authority Certificate
    An attacker exploits a weakness in the MD5 hash algorithm (weak collision resistance) to generate a certificate signing request (CSR) that contains collision blocks in the "to be signed" part. The attacker specially crafts two different, but valid X.509 certificates that when hashed with the MD5 algorithm would yield the same value. The attacker then sends the CSR for one of the certificates to the Certification Authority which uses the MD5 hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the attacker which is signed with its private key. An attacker then takes that signed blob and inserts it into another X.509 certificate that the attacker generated. Due to the MD5 collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the attackers' second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. To make the attack more interesting, the second certificate could be not just a regular certificate, but rather itself a signing certificate. Thus the attacker is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attackers' first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will now the Certificate Authority set up by the attacker and of course any certificates that it signs. So the attacker is now able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec) .

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-ED31E1F941.NASL
    descriptionUpdate to latest snapshot that contains fixes for the latest Talos discovered CVEs. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-08-09
    plugin id102277
    published2017-08-09
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102277
    titleFedora 25 : 2:freerdp / remmina (2017-ed31e1f941)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2017-ed31e1f941.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(102277);
      script_version("3.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2836", "CVE-2017-2837", "CVE-2017-2838", "CVE-2017-2839");
      script_xref(name:"FEDORA", value:"2017-ed31e1f941");
    
      script_name(english:"Fedora 25 : 2:freerdp / remmina (2017-ed31e1f941)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Update to latest snapshot that contains fixes for the latest Talos
    discovered CVEs.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-ed31e1f941"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected 2:freerdp and / or remmina packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:2:freerdp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:remmina");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/08/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/09");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC25", reference:"freerdp-2.0.0-31.20170724gitf8c9f43.fc25", epoch:"2")) flag++;
    if (rpm_check(release:"FC25", reference:"remmina-1.2.0-0.39.20170724git0387ee0.fc25")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "2:freerdp / remmina");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3380-1.NASL
    descriptionIt was discovered that FreeRDP incorrectly handled certain width and height values. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS. (CVE-2014-0250) It was discovered that FreeRDP incorrectly handled certain values in a Scope List. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-0791) Tyler Bohan discovered that FreeRDP incorrectly handled certain length values. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2017-2834, CVE-2017-2835) Tyler Bohan discovered that FreeRDP incorrectly handled certain packets. A malicious server could possibly use this issue to cause FreeRDP to crash, resulting in a denial of service. (CVE-2017-2836, CVE-2017-2837, CVE-2017-2838, CVE-2017-2839). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102260
    published2017-08-08
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102260
    titleUbuntu 14.04 LTS / 16.04 LTS / 17.04 : freerdp vulnerabilities (USN-3380-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3380-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(102260);
      script_version("1.6");
      script_cvs_date("Date: 2019/09/18 12:31:47");
    
      script_cve_id("CVE-2014-0250", "CVE-2014-0791", "CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2836", "CVE-2017-2837", "CVE-2017-2838", "CVE-2017-2839");
      script_xref(name:"USN", value:"3380-1");
    
      script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : freerdp vulnerabilities (USN-3380-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that FreeRDP incorrectly handled certain width and
    height values. A malicious server could use this issue to cause
    FreeRDP to crash, resulting in a denial of service, or possibly
    execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS.
    (CVE-2014-0250)
    
    It was discovered that FreeRDP incorrectly handled certain values in a
    Scope List. A malicious server could use this issue to cause FreeRDP
    to crash, resulting in a denial of service, or possibly execute
    arbitrary code. (CVE-2014-0791)
    
    Tyler Bohan discovered that FreeRDP incorrectly handled certain length
    values. A malicious server could use this issue to cause FreeRDP to
    crash, resulting in a denial of service, or possibly execute arbitrary
    code. (CVE-2017-2834, CVE-2017-2835)
    
    Tyler Bohan discovered that FreeRDP incorrectly handled certain
    packets. A malicious server could possibly use this issue to cause
    FreeRDP to crash, resulting in a denial of service. (CVE-2017-2836,
    CVE-2017-2837, CVE-2017-2838, CVE-2017-2839).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3380-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected libfreerdp-client1.1 and / or libfreerdp1
    packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libfreerdp-client1.1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libfreerdp1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:17.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/01/03");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/08/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/08");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(14\.04|16\.04|17\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 17.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"14.04", pkgname:"libfreerdp1", pkgver:"1.0.2-2ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"libfreerdp-client1.1", pkgver:"1.1.0~git20140921.1.440916e+dfsg1-5ubuntu1.2")) flag++;
    if (ubuntu_check(osver:"17.04", pkgname:"libfreerdp-client1.1", pkgver:"1.1.0~git20140921.1.440916e+dfsg1-10ubuntu1.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libfreerdp-client1.1 / libfreerdp1");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-992.NASL
    descriptionThis update for freerdp fixes the following issues : - CVE-2017-2834: Out-of-bounds write in license_recv() (bsc#1050714) - CVE-2017-2835: Out-of-bounds write in rdp_recv_tpkt_pdu (bsc#1050712) - CVE-2017-2836: Rdp Client Read Server Proprietary Certificate Denial of Service (bsc#1050699) - CVE-2017-2837: Client GCC Read Server Security Data DoS (bsc#1050704) - CVE-2017-2838: Client License Read Product Info Denial of Service Vulnerability (bsc#1050708) - CVE-2017-2839: Client License Read Challenge Packet Denial of Service (bsc#1050711) This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen2020-06-05
    modified2017-09-05
    plugin id102945
    published2017-09-05
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102945
    titleopenSUSE Security Update : freerdp (openSUSE-2017-992)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2017-992.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(102945);
      script_version("3.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2836", "CVE-2017-2837", "CVE-2017-2838", "CVE-2017-2839");
    
      script_name(english:"openSUSE Security Update : freerdp (openSUSE-2017-992)");
      script_summary(english:"Check for the openSUSE-2017-992 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for freerdp fixes the following issues :
    
      - CVE-2017-2834: Out-of-bounds write in license_recv()
        (bsc#1050714)
    
      - CVE-2017-2835: Out-of-bounds write in rdp_recv_tpkt_pdu
        (bsc#1050712)
    
      - CVE-2017-2836: Rdp Client Read Server Proprietary
        Certificate Denial of Service (bsc#1050699)
    
      - CVE-2017-2837: Client GCC Read Server Security Data DoS
        (bsc#1050704)
    
      - CVE-2017-2838: Client License Read Product Info Denial
        of Service Vulnerability (bsc#1050708)
    
      - CVE-2017-2839: Client License Read Challenge Packet
        Denial of Service (bsc#1050711)
    
    This update was imported from the SUSE:SLE-12-SP2:Update update
    project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050699"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050704"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050708"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050711"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050712"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050714"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected freerdp packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:freerdp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:freerdp-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:freerdp-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:freerdp-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreerdp2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreerdp2-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/09/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/05");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE42\.2|SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2 / 42.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE42.2", reference:"freerdp-2.0.0~git.1463131968.4e66df7-3.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"freerdp-debuginfo-2.0.0~git.1463131968.4e66df7-3.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"freerdp-debugsource-2.0.0~git.1463131968.4e66df7-3.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"freerdp-devel-2.0.0~git.1463131968.4e66df7-3.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"libfreerdp2-2.0.0~git.1463131968.4e66df7-3.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"libfreerdp2-debuginfo-2.0.0~git.1463131968.4e66df7-3.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"freerdp-2.0.0~git.1463131968.4e66df7-6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"freerdp-debuginfo-2.0.0~git.1463131968.4e66df7-6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"freerdp-debugsource-2.0.0~git.1463131968.4e66df7-6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"freerdp-devel-2.0.0~git.1463131968.4e66df7-6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libfreerdp2-2.0.0~git.1463131968.4e66df7-6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libfreerdp2-debuginfo-2.0.0~git.1463131968.4e66df7-6.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "freerdp / freerdp-debuginfo / freerdp-debugsource / freerdp-devel / etc");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2580.NASL
    descriptionAccording to the versions of the freerdp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An exploitable code execution vulnerability exists in the RDP receive functionality of FreeRDP 2.0.0-beta1+android11. A specially crafted server response can cause an out-of-bounds write resulting in an exploitable condition. An attacker can compromise the server or use a man in the middle to trigger this vulnerability.(CVE-2017-2835) - An exploitable denial of service vulnerability exists within the handling of challenge packets in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.(CVE-2017-2838) - An exploitable denial of service vulnerability exists within the handling of challenge packets in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.(CVE-2017-2839) - An exploitable denial of service vulnerability exists within the handling of security data in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.(CVE-2017-2837) - An exploitable denial of service vulnerability exists within the reading of proprietary server certificates in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.(CVE-2017-2836) - FreeRDP FreeRDP 2.0.0-rc3 released version before commit 205c612820dac644d665b5bb1cdf437dc5ca01e3 contains a Other/Unknown vulnerability in channels/drdynvc/client/drdynvc_main.c, drdynvc_process_capability_request that can result in The RDP server can read the client
    last seen2020-05-08
    modified2019-12-19
    plugin id132297
    published2019-12-19
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132297
    titleEulerOS 2.0 SP3 : freerdp (EulerOS-SA-2019-2580)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2234-1.NASL
    descriptionThis update for freerdp fixes the following issues : - CVE-2017-2834: Out-of-bounds write in license_recv() (bsc#1050714) - CVE-2017-2835: Out-of-bounds write in rdp_recv_tpkt_pdu (bsc#1050712) - CVE-2017-2836: Rdp Client Read Server Proprietary Certificate Denial of Service (bsc#1050699) - CVE-2017-2837: Client GCC Read Server Security Data DoS (bsc#1050704) - CVE-2017-2838: Client License Read Product Info Denial of Service Vulnerability (bsc#1050708) - CVE-2017-2839: Client License Read Challenge Packet Denial of Service (bsc#1050711) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102693
    published2017-08-23
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102693
    titleSUSE SLED12 Security Update : freerdp (SUSE-SU-2017:2234-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2455.NASL
    descriptionAccording to the versions of the freerdp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - FreeRDP before 1.1.0-beta+2013071101 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by disconnecting before authentication has finished.(CVE-2013-4119) - FreeRDP FreeRDP 2.0.0-rc3 released version before commit 205c612820dac644d665b5bb1cdf437dc5ca01e3 contains a Other/Unknown vulnerability in channels/drdynvc/client/drdynvc_main.c, drdynvc_process_capability_request that can result in The RDP server can read the client
    last seen2020-05-08
    modified2019-12-04
    plugin id131609
    published2019-12-04
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131609
    titleEulerOS 2.0 SP2 : freerdp (EulerOS-SA-2019-2455)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-4BC09C2364.NASL
    descriptionUpdate to latest snapshot that contains fixes for the latest Talos discovered CVEs. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-08-01
    plugin id102088
    published2017-08-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102088
    titleFedora 26 : 2:freerdp / remmina (2017-4bc09c2364)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1095.NASL
    descriptionTyler Bohan of Talos discovered that FreeRDP, a free implementation of the Remote Desktop Protocol (RDP), contained several vulnerabilities that allowed a malicious remote server or a man-in-the-middle to either cause a DoS by forcibly terminating the client, or execute arbitrary code on the client side. For Debian 7
    last seen2020-03-17
    modified2017-09-11
    plugin id103095
    published2017-09-11
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103095
    titleDebian DLA-1095-1 : freerdp security update
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3923.NASL
    descriptionTyler Bohan of Talos discovered that FreeRDP, a free implementation of the Remote Desktop Protocol (RDP), contained several vulnerabilities that allowed a malicious remote server or a man-in-the-middle to either cause a DoS by forcibly terminating the client, or execute arbitrary code on the client side.
    last seen2020-06-01
    modified2020-06-02
    plugin id102097
    published2017-08-02
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102097
    titleDebian DSA-3923-1 : freerdp - security update

Seebug

bulletinFamilyexploit
description### Summary An exploitable denial of service vulnerability exists within the reading of proprietary server certificates in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability. ### Tested Versions FreeRDP 2.0.0-beta1+android11 - Windows, OSX, Linux ### Product URLs http://www.freerdp.com/ ### CVSSv3 Score 6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H ### CWE CWE-190: Integer Overflow or Wraparound ### Details FreeRDP is a remote desktop protocol implementation available for all of the major operating systems. Many of the commercial remote desktop protocol applications actually use this library as their core. The vulnerability arises in the parsing of proprietary certificates. ``` static BOOL certificate_process_server_public_key(rdpCertificate* certificate, wStream* s, UINT32 length) { BYTE magic[4]; UINT32 keylen; UINT32 bitlen; UINT32 datalen; UINT32 modlen; ... Stream_Read_UINT32(s, keylen); Stream_Read_UINT32(s, bitlen); Stream_Read_UINT32(s, datalen); modlen = keylen - 8; [1] if (Stream_GetRemainingLength(s) < modlen + 8) // count padding [2] return FALSE; certificate->cert_info.ModulusLength = modlen; certificate->cert_info.Modulus = malloc(certificate->cert_info.ModulusLength); [3] if (!certificate->cert_info.Modulus) return FALSE; Stream_Read(s, certificate->cert_info.Modulus, certificate->cert_info.ModulusLength); [4] ``` In processing a servers proprietary certificate, the function calls out to read the public key. It takes the key length directly from the packet and decrements eight from it, [1]. It then does a check on the length by adding the eight back and comparing it to the stream length. The vulnerability arises here when a value less than eight is passed in. It passes the check but wraps around and causes a large allocation to be made, [3]. The denial of service arises at, [4] when the stream is now read into the oversized buffer and an out-of-bounds read occurs. ### Crash Information ``` Crashed thread log = : Dispatch queue: com.apple.main-thread 0 com.apple.CoreGraphics 0x00007fff8e8fc4de argb32_image_mark_RGB32 + 423 1 com.apple.CoreGraphics 0x00007fff8e8fc29d argb32_image_mark_image + 1085 2 com.apple.CoreGraphics 0x00007fff8e8b3d92 argb32_image + 5050 3 libRIP.A.dylib 0x00007fff8d02d4f2 ripl_Mark + 23 4 libRIP.A.dylib 0x00007fff8d02d491 RIPLayerBltImage + 1185 5 libRIP.A.dylib 0x00007fff8d02ad0a ripc_DrawImage + 1151 6 com.apple.CoreGraphics 0x00007fff8e90d37f CGContextDelegateDrawImage + 48 7 com.apple.AppKit 0x00007fff8d89b1c8 __backing_store_DrawImage_block_invoke + 70 8 com.apple.AppKit 0x00007fff8d896a77 backing_store_delegate + 768 9 com.apple.AppKit 0x00007fff8d89b137 backing_store_DrawImage + 525 10 com.apple.CoreGraphics 0x00007fff8e8a1813 CGContextDrawImageWithOptions + 571 11 com.apple.CoreGraphics 0x00007fff8e8d7b23 CGContextDrawImages + 2442 12 com.apple.coreui 0x00007fff967f7cce DrawNinePartImageWithOperation + 5357 13 com.apple.coreui 0x00007fff967f67c2 DrawNinePartElementFromRenditionWithOperation + 471 14 com.apple.coreui 0x00007fff967fdcce -[CUIThemeFacet _drawSpecificRenditionKey:rendition:inFrame:context:alpha:operation:isFocused:isFlipped:] + 710 15 com.apple.coreui 0x00007fff967fd91a -[CUIThemeFacet _drawSpecificRenditionKey:inFrame:context:isFocused:isFlipped:] + 163 16 com.apple.coreui 0x00007fff967fbc32 -[CUIThemeFacet drawInFrame:isFocused:context:] + 137 17 com.apple.coreui 0x00007fff96819500 CUICoreThemeRenderer::DrawWindowFrameStandardNew(CUIDescriptor const*) + 2990 18 com.apple.coreui 0x00007fff9679a065 CUIRenderer::Draw(CGRect, CGContext*, __CFDictionary const*, __CFDictionary const**) + 2341 19 com.apple.coreui 0x00007fff9679c992 CUIDraw + 175 20 com.apple.AppKit 0x00007fff8d82ed25 __44-[NSAppearance _drawInRect:context:options:]_block_invoke + 64 21 com.apple.AppKit 0x00007fff8d695e91 -[NSCompositeAppearance _callCoreUIWithBlock:] + 183 22 com.apple.AppKit 0x00007fff8d82ecde -[NSAppearance _drawInRect:context:options:] + 127 23 com.apple.AppKit 0x00007fff8d900699 -[NSThemeFrame _maskCorners:clipRect:] + 259 24 com.apple.AppKit 0x00007fff8de52b0d -[NSThemeFrame _drawTransparentTitlebarInRect:] + 173 25 com.apple.AppKit 0x00007fff8d8fd6b3 -[NSThemeFrame _drawUnifiedToolbar:] + 181 26 com.apple.AppKit 0x00007fff8d8fd480 -[NSThemeFrame _drawTitleBar:] + 104 27 com.apple.AppKit 0x00007fff8d8fd411 -[NSThemeFrame _drawFrameInterior:clip:] + 83 28 com.apple.AppKit 0x00007fff8d8fd3b1 -[NSThemeFrame drawFrame:] + 892 29 com.apple.AppKit 0x00007fff8d8fcf98 -[NSFrameView drawRect:] + 1098 30 com.apple.AppKit 0x00007fff8d8fcb33 -[NSThemeFrame drawRect:] + 280 31 com.apple.AppKit 0x00007fff8d83cc86 -[NSView _drawRect:clip:] + 3550 32 com.apple.AppKit 0x00007fff8d83acf5 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 3136 33 com.apple.AppKit 0x00007fff8d839be0 -[NSThemeFrame _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 334 34 com.apple.AppKit 0x00007fff8d837feb -[NSView _displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:] + 2449 35 com.apple.AppKit 0x00007fff8d8333f5 -[NSView displayIfNeeded] + 1950 36 com.apple.AppKit 0x00007fff8d832c3c -[NSWindow displayIfNeeded] + 232 37 com.apple.AppKit 0x00007fff8deb741b ___NSWindowGetDisplayCycleObserver_block_invoke6365 + 476 38 com.apple.AppKit 0x00007fff8d8325d6 __37+[NSDisplayCycle currentDisplayCycle]_block_invoke + 941 39 com.apple.QuartzCore 0x00007fff845e5f71 CA::Transaction::run_commit_handlers(CATransactionPhase) + 85 40 com.apple.QuartzCore 0x00007fff845e542c CA::Context::commit_transaction(CA::Transaction*) + 160 41 com.apple.QuartzCore 0x00007fff845e50ec CA::Transaction::commit() + 508 42 com.apple.QuartzCore 0x00007fff845f0977 CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned long, void*) + 71 43 com.apple.CoreFoundation 0x00007fff86660067 __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23 44 com.apple.CoreFoundation 0x00007fff8665ffd7 __CFRunLoopDoObservers + 391 45 com.apple.CoreFoundation 0x00007fff8663eef8 CFRunLoopRunSpecific + 328 46 com.apple.HIToolbox 0x00007fff8caf7935 RunCurrentEventLoopInMode + 235 47 com.apple.HIToolbox 0x00007fff8caf7677 ReceiveNextEventCommon + 184 48 com.apple.HIToolbox 0x00007fff8caf75af _BlockUntilNextEventMatchingListInModeWithFilter + 71 49 com.apple.AppKit 0x00007fff8d6dadf6 _DPSNextEvent + 1067 50 com.apple.AppKit 0x00007fff8d6da226 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] 454 51 com.apple.AppKit 0x00007fff8d6ced80 -[NSApplication run] + 682 52 com.apple.AppKit 0x00007fff8d698368 NSApplicationMain + 1176 53 libdyld.dylib 0x00007fff845345ad start + 1 log name is: ./crashlogs/1.crashlog.txt exception=EXCCRASH:signal=11:isexploitable= no:instructiondisassembly=cmpq $CONSTANT,%rax:instructionaddress=0x00007fff8e8fc4de:accesstype=:accessaddress=0x0000000000000000: ``` ### Exploit Proof-of-Concept Run included Python server and connect FreeRDP Client to it. ### Timeline * 2017-05-24 - Vendor Disclosure * 2017-07-24 - Public Release ### CREDIT * Discovered by Tyler Bohan of Cisco Talos.
idSSV:96458
last seen2017-11-19
modified2017-09-13
published2017-09-13
reporterRoot
titleFreeRDP Rdp Client Read Server Proprietary Certificate Denial of Service Vulnerability(CVE-2017-2836)

Talos

idTALOS-2017-0338
last seen2019-05-29
published2017-07-24
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0338
titleFreeRDP Rdp Client Read Server Proprietary Certificate Denial of Service Vulnerability