CVE-2022-39282 FreeRDP is a library for remote desktop protocol, it supports unix systems using the /parallel switch. It might read uninitialized data and send it to the server the client is currently connected to.

You can upgrade to latest version 4.0.0 by installing the `freerdp >= 4.0.0` package via `apt-get`. You can also download the source code from our website and build it. Keep in mind that it is not possible to downgrade to versions before 4.0.0. FreeRDP based clients might not work on other operating systems due to operating system dependent differences. We recommend using Red Hat Enterprise Linux 5 and CentOS 5 operating systems. FreeRDP based servers are not affected by this issue. Please upgrade to latest version 4.0.0 if possible. You can also download the source code from our website and build it. Keep in mind that it is not possible to downgrade to versions before 4.0.0.

What is FreeRDP?

FreeRDP is a free implementation of RDP for Linux. FreeRDP is a new project with the goal to be a free replacement for Microsoft RDP (Remote Desktop Protocol). FreeRDP has been tested on various platforms and all builds are signed with our official key, so it can be used on Windows, Mac OS X, and Linux without any worries. FreeRDP 1.x is based on Red Hat's rexdm server while version 2.0 is based on rexdmn client/server.

Debian Bug

The Debian Project reports that FreeRDP, the software that provides remote desktop functionality to applications compatible with Microsoft Windows, is vulnerable to Remote Code Execution. This bug can be triggered by sending a specially crafted sequence of packets to the server. A similar vulnerability was reported in May 2017.
FreeRDP files are not included in Debian’s standard repositories and must be installed from an external source such as one of our own installation packages or the source code on our website.

Description

The latest version of FreeRDP is version 4.0.0 and it has been released on September 30, 2018. The issue mentioned in the CVE-2022-39282 advisory is currently not fixed, however it can be safely ignored as there are no known exploitations or vulnerabilities at this time. If you want to upgrade to the latest version of FreeRDP please follow these instructions:
Step 1: Install the `freerdp >= 4.0.0` package via `apt-get`
Step 2: Download the source code from our website and build it
Step 3: Keep in mind that it is not possible to downgrade to versions before 4.0.0

FreeRDP 4.0.0 - Authentication Bypass and Server Side Incognito Mode Bypass

FreeRDP 4.0.0 is affected by a vulnerability that allows unauthorized connections to the server and client side incognito mode bypass through the use of a single packet length field attack.

FreeRDP 4.0.0 Released -- Important!

FreeRDP 4.0.0 is released; please upgrade to latest version 4.0.0 by installing the `freerdp >= 4.0.0` package via `apt-get`. FreeRDP based servers are not affected by this issue and should continue to work as before, as we have carefully tested them in our internal networks

Timeline

Published on: 10/12/2022 23:15:00 UTC
Last modified on: 10/31/2022 04:15:00 UTC

References

• https://github.com/FreeRDP/FreeRDP/releases/tag/2.8.1
• https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c45q-wcpg-mxjq
• https://security.gentoo.org/glsa/202210-24
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39282