Vulnerabilities > CVE-2017-2839
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
An exploitable denial of service vulnerability exists within the handling of challenge packets in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 | |
OS | 2 |
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2017-ED31E1F941.NASL description Update to latest snapshot that contains fixes for the latest Talos discovered CVEs. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-08-09 plugin id 102277 published 2017-08-09 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102277 title Fedora 25 : 2:freerdp / remmina (2017-ed31e1f941) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2017-ed31e1f941. # include("compat.inc"); if (description) { script_id(102277); script_version("3.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2836", "CVE-2017-2837", "CVE-2017-2838", "CVE-2017-2839"); script_xref(name:"FEDORA", value:"2017-ed31e1f941"); script_name(english:"Fedora 25 : 2:freerdp / remmina (2017-ed31e1f941)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Update to latest snapshot that contains fixes for the latest Talos discovered CVEs. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-ed31e1f941" ); script_set_attribute( attribute:"solution", value:"Update the affected 2:freerdp and / or remmina packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:2:freerdp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:remmina"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/24"); script_set_attribute(attribute:"patch_publication_date", value:"2017/08/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/09"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC25", reference:"freerdp-2.0.0-31.20170724gitf8c9f43.fc25", epoch:"2")) flag++; if (rpm_check(release:"FC25", reference:"remmina-1.2.0-0.39.20170724git0387ee0.fc25")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "2:freerdp / remmina"); }
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3380-1.NASL description It was discovered that FreeRDP incorrectly handled certain width and height values. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS. (CVE-2014-0250) It was discovered that FreeRDP incorrectly handled certain values in a Scope List. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-0791) Tyler Bohan discovered that FreeRDP incorrectly handled certain length values. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2017-2834, CVE-2017-2835) Tyler Bohan discovered that FreeRDP incorrectly handled certain packets. A malicious server could possibly use this issue to cause FreeRDP to crash, resulting in a denial of service. (CVE-2017-2836, CVE-2017-2837, CVE-2017-2838, CVE-2017-2839). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 102260 published 2017-08-08 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102260 title Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : freerdp vulnerabilities (USN-3380-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-3380-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(102260); script_version("1.6"); script_cvs_date("Date: 2019/09/18 12:31:47"); script_cve_id("CVE-2014-0250", "CVE-2014-0791", "CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2836", "CVE-2017-2837", "CVE-2017-2838", "CVE-2017-2839"); script_xref(name:"USN", value:"3380-1"); script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : freerdp vulnerabilities (USN-3380-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "It was discovered that FreeRDP incorrectly handled certain width and height values. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS. (CVE-2014-0250) It was discovered that FreeRDP incorrectly handled certain values in a Scope List. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-0791) Tyler Bohan discovered that FreeRDP incorrectly handled certain length values. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2017-2834, CVE-2017-2835) Tyler Bohan discovered that FreeRDP incorrectly handled certain packets. A malicious server could possibly use this issue to cause FreeRDP to crash, resulting in a denial of service. (CVE-2017-2836, CVE-2017-2837, CVE-2017-2838, CVE-2017-2839). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/3380-1/" ); script_set_attribute( attribute:"solution", value: "Update the affected libfreerdp-client1.1 and / or libfreerdp1 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libfreerdp-client1.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libfreerdp1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:17.04"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/01/03"); script_set_attribute(attribute:"patch_publication_date", value:"2017/08/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/08"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(14\.04|16\.04|17\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 17.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"14.04", pkgname:"libfreerdp1", pkgver:"1.0.2-2ubuntu1.1")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"libfreerdp-client1.1", pkgver:"1.1.0~git20140921.1.440916e+dfsg1-5ubuntu1.2")) flag++; if (ubuntu_check(osver:"17.04", pkgname:"libfreerdp-client1.1", pkgver:"1.1.0~git20140921.1.440916e+dfsg1-10ubuntu1.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libfreerdp-client1.1 / libfreerdp1"); }
NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-992.NASL description This update for freerdp fixes the following issues : - CVE-2017-2834: Out-of-bounds write in license_recv() (bsc#1050714) - CVE-2017-2835: Out-of-bounds write in rdp_recv_tpkt_pdu (bsc#1050712) - CVE-2017-2836: Rdp Client Read Server Proprietary Certificate Denial of Service (bsc#1050699) - CVE-2017-2837: Client GCC Read Server Security Data DoS (bsc#1050704) - CVE-2017-2838: Client License Read Product Info Denial of Service Vulnerability (bsc#1050708) - CVE-2017-2839: Client License Read Challenge Packet Denial of Service (bsc#1050711) This update was imported from the SUSE:SLE-12-SP2:Update update project. last seen 2020-06-05 modified 2017-09-05 plugin id 102945 published 2017-09-05 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102945 title openSUSE Security Update : freerdp (openSUSE-2017-992) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2017-992. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(102945); script_version("3.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-2834", "CVE-2017-2835", "CVE-2017-2836", "CVE-2017-2837", "CVE-2017-2838", "CVE-2017-2839"); script_name(english:"openSUSE Security Update : freerdp (openSUSE-2017-992)"); script_summary(english:"Check for the openSUSE-2017-992 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for freerdp fixes the following issues : - CVE-2017-2834: Out-of-bounds write in license_recv() (bsc#1050714) - CVE-2017-2835: Out-of-bounds write in rdp_recv_tpkt_pdu (bsc#1050712) - CVE-2017-2836: Rdp Client Read Server Proprietary Certificate Denial of Service (bsc#1050699) - CVE-2017-2837: Client GCC Read Server Security Data DoS (bsc#1050704) - CVE-2017-2838: Client License Read Product Info Denial of Service Vulnerability (bsc#1050708) - CVE-2017-2839: Client License Read Challenge Packet Denial of Service (bsc#1050711) This update was imported from the SUSE:SLE-12-SP2:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050699" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050704" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050708" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050711" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050712" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050714" ); script_set_attribute( attribute:"solution", value:"Update the affected freerdp packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:freerdp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:freerdp-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:freerdp-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:freerdp-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreerdp2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreerdp2-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3"); script_set_attribute(attribute:"patch_publication_date", value:"2017/09/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.2|SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2 / 42.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.2", reference:"freerdp-2.0.0~git.1463131968.4e66df7-3.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"freerdp-debuginfo-2.0.0~git.1463131968.4e66df7-3.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"freerdp-debugsource-2.0.0~git.1463131968.4e66df7-3.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"freerdp-devel-2.0.0~git.1463131968.4e66df7-3.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libfreerdp2-2.0.0~git.1463131968.4e66df7-3.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libfreerdp2-debuginfo-2.0.0~git.1463131968.4e66df7-3.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"freerdp-2.0.0~git.1463131968.4e66df7-6.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"freerdp-debuginfo-2.0.0~git.1463131968.4e66df7-6.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"freerdp-debugsource-2.0.0~git.1463131968.4e66df7-6.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"freerdp-devel-2.0.0~git.1463131968.4e66df7-6.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libfreerdp2-2.0.0~git.1463131968.4e66df7-6.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libfreerdp2-debuginfo-2.0.0~git.1463131968.4e66df7-6.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "freerdp / freerdp-debuginfo / freerdp-debugsource / freerdp-devel / etc"); }
NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2580.NASL description According to the versions of the freerdp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An exploitable code execution vulnerability exists in the RDP receive functionality of FreeRDP 2.0.0-beta1+android11. A specially crafted server response can cause an out-of-bounds write resulting in an exploitable condition. An attacker can compromise the server or use a man in the middle to trigger this vulnerability.(CVE-2017-2835) - An exploitable denial of service vulnerability exists within the handling of challenge packets in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.(CVE-2017-2838) - An exploitable denial of service vulnerability exists within the handling of challenge packets in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.(CVE-2017-2839) - An exploitable denial of service vulnerability exists within the handling of security data in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.(CVE-2017-2837) - An exploitable denial of service vulnerability exists within the reading of proprietary server certificates in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability.(CVE-2017-2836) - FreeRDP FreeRDP 2.0.0-rc3 released version before commit 205c612820dac644d665b5bb1cdf437dc5ca01e3 contains a Other/Unknown vulnerability in channels/drdynvc/client/drdynvc_main.c, drdynvc_process_capability_request that can result in The RDP server can read the client last seen 2020-05-08 modified 2019-12-19 plugin id 132297 published 2019-12-19 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132297 title EulerOS 2.0 SP3 : freerdp (EulerOS-SA-2019-2580) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-2234-1.NASL description This update for freerdp fixes the following issues : - CVE-2017-2834: Out-of-bounds write in license_recv() (bsc#1050714) - CVE-2017-2835: Out-of-bounds write in rdp_recv_tpkt_pdu (bsc#1050712) - CVE-2017-2836: Rdp Client Read Server Proprietary Certificate Denial of Service (bsc#1050699) - CVE-2017-2837: Client GCC Read Server Security Data DoS (bsc#1050704) - CVE-2017-2838: Client License Read Product Info Denial of Service Vulnerability (bsc#1050708) - CVE-2017-2839: Client License Read Challenge Packet Denial of Service (bsc#1050711) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 102693 published 2017-08-23 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102693 title SUSE SLED12 Security Update : freerdp (SUSE-SU-2017:2234-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2455.NASL description According to the versions of the freerdp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - FreeRDP before 1.1.0-beta+2013071101 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by disconnecting before authentication has finished.(CVE-2013-4119) - FreeRDP FreeRDP 2.0.0-rc3 released version before commit 205c612820dac644d665b5bb1cdf437dc5ca01e3 contains a Other/Unknown vulnerability in channels/drdynvc/client/drdynvc_main.c, drdynvc_process_capability_request that can result in The RDP server can read the client last seen 2020-05-08 modified 2019-12-04 plugin id 131609 published 2019-12-04 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131609 title EulerOS 2.0 SP2 : freerdp (EulerOS-SA-2019-2455) NASL family Fedora Local Security Checks NASL id FEDORA_2017-4BC09C2364.NASL description Update to latest snapshot that contains fixes for the latest Talos discovered CVEs. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-08-01 plugin id 102088 published 2017-08-01 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102088 title Fedora 26 : 2:freerdp / remmina (2017-4bc09c2364) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1095.NASL description Tyler Bohan of Talos discovered that FreeRDP, a free implementation of the Remote Desktop Protocol (RDP), contained several vulnerabilities that allowed a malicious remote server or a man-in-the-middle to either cause a DoS by forcibly terminating the client, or execute arbitrary code on the client side. For Debian 7 last seen 2020-03-17 modified 2017-09-11 plugin id 103095 published 2017-09-11 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103095 title Debian DLA-1095-1 : freerdp security update NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3923.NASL description Tyler Bohan of Talos discovered that FreeRDP, a free implementation of the Remote Desktop Protocol (RDP), contained several vulnerabilities that allowed a malicious remote server or a man-in-the-middle to either cause a DoS by forcibly terminating the client, or execute arbitrary code on the client side. last seen 2020-06-01 modified 2020-06-02 plugin id 102097 published 2017-08-02 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102097 title Debian DSA-3923-1 : freerdp - security update
Seebug
bulletinFamily | exploit |
description | ### Summary An exploitable denial of service vulnerability exists within the handling of challenge packets in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can compromise the server or use man in the middle to trigger this vulnerability. ### Tested Versions FreeRDP 2.0.0-beta1+android11 - Windows, OSX, Linux ### Product URLs http://www.freerdp.com/ ### CVSSv3 Score 6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H ### CWE CWE-252: Unchecked Return Value ### Details FreeRDP is a remote desktop protocol implementation available for all of the major operating systems. Many of the commercial remote desktop protocol applications actually use this library as their core. The vulnerability arises due to failure to check the return value result. ``` BOOL license_read_platform_challenge_packet(rdpLicense* license, wStream* s) { BYTE MacData[16]; UINT32 ConnectFlags = 0; if (Stream_GetRemainingLength(s) < 4) return FALSE; license->EncryptedPlatformChallenge->type = BB_ANY_BLOB; license_read_binary_blob(s, license->EncryptedPlatformChallenge); [1] license->EncryptedPlatformChallenge->type = BB_ENCRYPTED_DATA_BLOB; if (Stream_GetRemainingLength(s) < 16) return FALSE; if (!license_decrypt_platform_challenge(license)) [2] ``` The license structure is populated at, [1],and a return value check is omitted. This newly populated license is then passed into a decryption function directly. Below is the code for license_read_binary_blob, [1]. ``` BOOL license_read_binary_blob(wStream* s, LICENSE_BLOB* blob) { UINT16 wBlobType; Stream_Read_UINT16(s, wBlobType); /* wBlobType (2 bytes) */ Stream_Read_UINT16(s, blob->length); /* wBlobLen (2 bytes) */ if (Stream_GetRemainingLength(s) < blob->length) [3] return FALSE; ... blob->type = wBlobType; blob->data = (BYTE*) malloc(blob->length); [4] ``` In the read_blob function we can see the length is read in directly from the packet and then checked against the stream length, [3]. This will exit the function if the check fails and return false. Recall that the previous function does not check the return value so the type blob->data,[4], will not be initialized. The license_decrypt_platform_challenge function is shown below: ``` BOOL license_decrypt_platform_challenge(rdpLicense* license) { BOOL rc; WINPR_RC4_CTX* rc4; ... rc = winpr_RC4_Update(rc4, license->EncryptedPlatformChallenge->length, license->EncryptedPlatformChallenge->data, [5] license->PlatformChallenge->data); ``` The license object is passed in and the EncryptedPlatformChallenge is used without validation, [5]. Recall the EncryptedPlatformChallenge data field is not set due to incorrect length so when the RC4 function attempts to use it a null pointer access happens and a denial of service condition arises. ### Crash Information ``` Crashed thread log = : Dispatch queue: com.apple.main-thread 0 com.apple.CoreGraphics 0x00007fff9109bb34 blt_pattern_blend_XXXX32 + 608 1 com.apple.CoreGraphics 0x00007fff91058de4 argb32_mark + 19951 2 libRIP.A.dylib 0x00007fff8f7e4cec RIPLayerBltShape + 1319 3 libRIP.A.dylib 0x00007fff8f7e2713 ripc_Render + 319 4 libRIP.A.dylib 0x00007fff8f7df1a2 ripc_DrawRects + 438 5 com.apple.AppKit 0x00007fff900577cd __backing_store_DrawRects_block_invoke + 39 6 com.apple.AppKit 0x00007fff90056a77 backing_store_delegate + 768 7 com.apple.AppKit 0x00007fff900564fb backing_store_DrawRects + 1047 8 com.apple.CoreGraphics 0x00007fff91050be7 CGContextFillRects + 107 9 com.apple.CoreGraphics 0x00007fff91050b79 CGContextFillRect + 134 10 com.apple.CoreGraphics 0x00007fff91098001 CGContextDrawImages + 3688 11 com.apple.coreui 0x00007fff98fb858e _CUITileImageWithOperation + 365 12 com.apple.coreui 0x00007fff98fb4e78 DrawOnePartElementFromRenditionWithOperation + 993 13 com.apple.coreui 0x00007fff98fbdc5a -[CUIThemeFacet _drawSpecificRenditionKey:rendition:inFrame:context:alpha:operation:isFocused:isFlipped:] + 594 14 com.apple.coreui 0x00007fff98fbd91a -[CUIThemeFacet _drawSpecificRenditionKey:inFrame:context:isFocused:isFlipped:] + 163 15 com.apple.coreui 0x00007fff98fbbc32 -[CUIThemeFacet drawInFrame:isFocused:context:] + 137 16 com.apple.coreui 0x00007fff98fd8f68 CUICoreThemeRenderer::DrawWindowFrameStandardNew(CUIDescriptor const*) + 1558 17 com.apple.coreui 0x00007fff98f5a065 CUIRenderer::Draw(CGRect, CGContext*, __CFDictionary const*, __CFDictionary const**) + 2341 18 com.apple.coreui 0x00007fff98f5c992 CUIDraw + 175 19 com.apple.AppKit 0x00007fff8ffeed25 __44-[NSAppearance _drawInRect:context:options:]_block_invoke + 64 20 com.apple.AppKit 0x00007fff8fe55e91 -[NSCompositeAppearance _callCoreUIWithBlock:] + 183 21 com.apple.AppKit 0x00007fff8ffeecde -[NSAppearance _drawInRect:context:options:] + 127 22 com.apple.AppKit 0x00007fff900c0699 -[NSThemeFrame _maskCorners:clipRect:] + 259 23 com.apple.AppKit 0x00007fff90612b0d -[NSThemeFrame _drawTransparentTitlebarInRect:] + 173 24 com.apple.AppKit 0x00007fff900bd6b3 -[NSThemeFrame _drawUnifiedToolbar:] + 181 25 com.apple.AppKit 0x00007fff900bd480 -[NSThemeFrame _drawTitleBar:] + 104 26 com.apple.AppKit 0x00007fff900bd411 -[NSThemeFrame _drawFrameInterior:clip:] + 83 27 com.apple.AppKit 0x00007fff900bd3b1 -[NSThemeFrame drawFrame:] + 892 28 com.apple.AppKit 0x00007fff900bcf98 -[NSFrameView drawRect:] + 1098 29 com.apple.AppKit 0x00007fff900bcb33 -[NSThemeFrame drawRect:] + 280 30 com.apple.AppKit 0x00007fff8fffcc86 -[NSView _drawRect:clip:] + 3550 31 com.apple.AppKit 0x00007fff8fffacf5 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 3136 32 com.apple.AppKit 0x00007fff8fff9be0 -[NSThemeFrame _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 334 33 com.apple.AppKit 0x00007fff8fff7feb -[NSView _displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:] + 2449 34 com.apple.AppKit 0x00007fff8fff33f5 -[NSView displayIfNeeded] + 1950 35 com.apple.AppKit 0x00007fff8fff2c3c -[NSWindow displayIfNeeded] + 232 36 com.apple.AppKit 0x00007fff9067741b ___NSWindowGetDisplayCycleObserver_block_invoke6365 + 476 37 com.apple.AppKit 0x00007fff8fff25d6 __37+[NSDisplayCycle currentDisplayCycle]_block_invoke + 941 38 com.apple.QuartzCore 0x00007fff86da5f71 CA::Transaction::run_commit_handlers(CATransactionPhase) + 85 39 com.apple.QuartzCore 0x00007fff86da542c CA::Context::commit_transaction(CA::Transaction*) + 160 40 com.apple.QuartzCore 0x00007fff86da50ec CA::Transaction::commit() + 508 41 com.apple.QuartzCore 0x00007fff86db0977 CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned long, void*) + 71 42 com.apple.CoreFoundation 0x00007fff88e20067 __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23 43 com.apple.CoreFoundation 0x00007fff88e1ffd7 __CFRunLoopDoObservers + 391 44 com.apple.CoreFoundation 0x00007fff88dfeef8 CFRunLoopRunSpecific + 328 45 com.apple.HIToolbox 0x00007fff8f2b7935 RunCurrentEventLoopInMode + 235 46 com.apple.HIToolbox 0x00007fff8f2b7677 ReceiveNextEventCommon + 184 47 com.apple.HIToolbox 0x00007fff8f2b75af _BlockUntilNextEventMatchingListInModeWithFilter + 71 48 com.apple.AppKit 0x00007fff8fe9adf6 _DPSNextEvent + 1067 49 com.apple.AppKit 0x00007fff8fe9a226 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454 50 com.apple.AppKit 0x00007fff8fe8ed80 -[NSApplication run] + 682 51 com.apple.AppKit 0x00007fff8fe58368 NSApplicationMain + 1176 52 libdyld.dylib 0x00007fff86cf45ad start + 1 log name is: ./crashlogs/1.crashlog.txt --- exception=EXC_CRASH:signal=11:is_exploitable= no:instruction_disassembly=.byte 0xc4 #bad opcode:instruction_address=0x00007fff9109bb34:access_type=:access_address=0x0000000000000000: ``` ### Exploit Proof-of-Concept Run included Python server and connect FreeRDP Client to it. ### Timeline * 2017-05-24 - Vendor Disclosure * 2017-07-24 - Public Release ### CREDIT * Discovered by Tyler Bohan of Cisco Talos. |
id | SSV:96461 |
last seen | 2017-11-19 |
modified | 2017-09-13 |
published | 2017-09-13 |
reporter | Root |
title | FreeRDP Rdp Client License Read Challenge Packet Denial of Service Vulnerability(CVE-2017-2839) |
Talos
id | TALOS-2017-0341 |
last seen | 2019-05-29 |
published | 2017-07-24 |
reporter | Talos Intelligence |
source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0341 |
title | FreeRDP Rdp Client License Read Challenge Packet Denial of Service Vulnerability |
References
- http://www.securityfocus.com/bid/99942
- http://www.securityfocus.com/bid/99942
- https://www.debian.org/security/2017/dsa-3923
- https://www.debian.org/security/2017/dsa-3923
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0341
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0341