FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients using a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to integer overflow and out-of-bounds write. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, do not use `/gfx` options (e.g. deactivate with `/bpp:32` or `/rfx` as it is on by default).
The vulnerability is an integer overflow (CWE-190) that leads to out-of-bounds write in allocated memory buffer (CWE-787). The issue occurs in the graphics options handling path `/gfx`, which is active by default in FreeRDP clients. An attacker can send crafted data from a malicious or compromised RDP server, causing memory corruption in the client process.
An attacker can trigger arbitrary code execution (RCE) on the client machine or cause application crash, which in the worst case means complete takeover of the user system connecting through FreeRDP.
FreeRDP should be updated to version 3.5.0 or 2.11.6. As a workaround, GFX options can be disabled by using `/bpp:32` or `/rfx` parameters when running the client, which deactivates the vulnerable code path (GFX is enabled by default).
FreeRDP clients based on FreeRDP versions earlier than 3.5.0 and earlier than 2.11.6, as well as Fedora packages containing vulnerable FreeRDP versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HFedora Project Fedora
OSFedoraproject383940Freerdp
APPFreerdp< 2.11.63.0.0 – 3.5.0 (bez)
Related vulnerabilities
PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit
Type Confusion w V8 (Google Chrome) — RCE przez spreparowaną stronę HTML
Type Confusion w silniku V8 Chrome — zdalne wykonanie kodu (RCE)
Use-after-free w Google Chrome Visuals umożliwiający ucieczkę z sandbox
Integer overflow w Skia w Google Chrome — sandbox escape