FreeRDP is a popular open-source implementation of the Remote Desktop Protocol (RDP). This powerful tool allows users to access and manage remote systems through a graphical interface. However, a recently discovered vulnerability in versions prior to 2.7. could potentially enable attackers to bypass NT LAN Manager (NTLM) authentication when using empty password values. This issue primarily affects FreeRDP-based RDP Server implementations, but RDP clients remain unaffected. In this article, we will explore the details of this vulnerability, CVE-2022-24882, and discuss how to both understand and address it.
Understanding the Vulnerability
When an RDP connection is established, NTLM authentication is used as a security measure to verify users' usernames and passwords. The issue discovered in certain FreeRDP versions is that the authentication process does not properly abort when encountering an empty password value. As a result, attackers can exploit this vulnerability by simply leaving the password field blank when attempting to access the RDP server implementation. Furthermore, successful authentication often grants extensive control over the compromised system, exacerbating the risk associated with this flaw.
Patch Status and Original References
To fix this vulnerability, the developers of FreeRDP have released version 2.7., which patches the issue. The official GitHub repository for the project can be found here, containing the updated codebase and additional documentation. The original CVE report, along with a more technical analysis of the vulnerability, can also be accessed here.
Code Snippet Demonstrating the Vulnerability
Below is a code snippet demonstrating the problematic behavior observed in the vulnerable FreeRDP versions:
BOOL ntlm_accept_ntlm_password(NTLM_CONTEXT* context, SEC_BUFFER* password)
{
...
if (password->BufferType != SECBUFFER_TOKEN)
{
context->state = NTLM_STATE_ABANDONED;
return FALSE;
}
...
}
In the code snippet above, the ntlm_accept_ntlm_password function returns FALSE when provided with an empty password value for authentication. The NTLM authentication process should properly abort and deny access when encountering such input, but the vulnerable versions experience a security lapse that allows the process to continue regardless.
Understanding the Exploit
To exploit this vulnerability, an attacker must first identify an RDP server utilizing a version of FreeRDP vulnerable to CVE-2022-24882. Upon targeting the discovered system, the attacker simply needs to supply the correct username associated with the administrator or user account while leaving the password field empty. This manipulation should result in a successful authentication bypass, ultimately granting unauthorized access to the system.
Patching and Mitigation
Upgrading to FreeRDP version 2.7. is the most effective means of addressing this vulnerability, as it contains the necessary patch. Administrators should promptly update their FreeRDP deployments to ensure their systems remain secure. However, should updating prove unattainable or challenging, there are currently no known workarounds to mitigate this vulnerability, reinforcing the imperative nature of implementing the latest version.
Conclusion
The discovery of CVE-2022-24882 highlights the necessity of remaining vigilant in identifying and patching vulnerabilities, particularly within widely used open-source projects such as FreeRDP. By understanding the nature of this specific flaw, administrators can better appreciate the importance of upgrading to version 2.7. and maintaining up-to-date software deployments to prevent unauthorized access and maintain the integrity of their systems.
Timeline
Published on: 04/26/2022 16:15:00 UTC
Last modified on: 05/11/2022 04:15:00 UTC