FreeRDP (https://www.freerdp.com) is a popular open-source remote desktop protocol (RDP) library and client implementation for Windows, macOS, and Linux. It provides users with a secure and seamless way to connect to remote desktops from their local devices, making it a valuable tool in today's increasingly distributed work environments.

Unfortunately, a vulnerability has recently been discovered in certain versions of FreeRDP that could put its users at risk. This post will detail the nature of this vulnerability, designated as CVE-2022-39317, provide code snippets to demonstrate the issue, and link to the original references for further information. Finally, we will discuss the available fixes and mitigation measures for this security flaw.

Vulnerability Details

CVE-2022-39317 affects FreeRDP versions prior to 2.9. and is related to a missing range check for input offset index within the ZGFX decoder. ZGFX is a codec used in FreeRDP to compress graphics data, reducing the amount of data that needs to be transmitted during a remote desktop session.

A malicious server could exploit this vulnerability by sending crafted ZGFX data to a FreeRDP-based client, causing it to read out-of-bound data and attempt to decode it. This could potentially lead to data leakage, unauthorized access, or even remote code execution on the affected client.

The issue was identified and reported by a security researcher, who provided the following code snippet to demonstrate the vulnerability:

// In libfreerdp/codec/zgfx.c
static UINT zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, BYTE* pSrcData, UINT32 SrcSize, BYTE** ppDstData, UINT32* pDstSize)
{
...
    while (processed < SrcSize)
    {
        /* missing range check for input offset index, leading to out-of-bound read */
        COPY_PIXEL((pSrcData[processed + ] << 8) | pSrcData[processed + 1]);
        processed += 2;
...
}

It is worth noting that this vulnerability can only be exploited if the attacker controls the RDP server that the victim's FreeRDP client connects to. However, this should not be taken as a reason to underestimate the potential impact of the issue.

Original References

The vulnerability was reported to the FreeRDP project and has been documented in the project's GitHub repository:

- CVE-2022-39317: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-pq6h-7g96-94jw
- FreeRDP GitHub Repository: https://github.com/FreeRDP/FreeRDP

Additionally, it has been assigned the CVE identifier CVE-2022-39317 by the Common Vulnerabilities and Exposures (CVE) system, which provides a detailed record of the issue:

- CVE-2022-39317: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39317

Fixing the Vulnerability

The FreeRDP project has released version 2.9. to address this vulnerability. It is strongly recommended that all users of affected versions update their FreeRDP installations as soon as possible to mitigate the risk of exploitation.

If for any reason it is not possible to update your FreeRDP instance, please be aware that there are currently no known workarounds for this issue. As such, it is vital that you take the necessary steps to secure your remote desktop environments and minimize the chances of an attacker gaining control of a server that hosts FreeRDP clients.

Conclusion

CVE-2022-39317 is a serious vulnerability that affects certain versions of the FreeRDP remote desktop protocol library and clients. By exploiting this issue, a malicious server could force a FreeRDP client to read and potentially execute out-of-bound data. Users are urged to update to FreeRDP version 2.9. or later to protect themselves from this security flaw.

Timeline

Published on: 11/16/2022 21:15:00 UTC
Last modified on: 01/25/2023 19:56:00 UTC