In late 2022, security researchers found a serious bug in FreeRDP—a widely-used open source library that helps computers connect remotely using the RDP (Remote Desktop Protocol). If you use tools or software that let you connect to Windows desktops remotely, there’s a good chance FreeRDP is quietly working behind the scenes.

The problem? Certain versions of FreeRDP had a missing range check—meaning the program didn’t double-check if some numbers were safe—inside the part of its code that handles compressing and decompressing images, called the ZGFX decoder. In simple words, a hacker who controls an RDP server can send specially made data to a FreeRDP-based client, making it read memory it shouldn’t. That could leak private info, crash the program, or possibly help take over the machine.

Let’s dive in and see how it happened, how it was fixed, and what you should do.

What is FreeRDP and Why Does This Matter?

FreeRDP lets computers connect to Windows desktops or servers using the RDP protocol. It’s used in many remote desktop clients for Linux, macOS, and more. If you’re connecting to your office desktop from home, you might use FreeRDP under the hood, even if you don’t know it!

The ZGFX Decoder is part of the code that helps compress (and decompress) images, so stuff can be sent over the network faster. FreeRDP needs to turn that data back into pictures you see.

If there’s a bug in how FreeRDP reads those images, a hacker could send bad data that makes FreeRDP “look” where it shouldn’t in computer memory. That’s an *out-of-bounds* read.

How the Bug Works (Simplified)

Here’s a simplified look at the real C code (from the commit fixing the bug) before it was fixed:

// Old code (simplified for illustration)
index = ReadUInt16(); // gets offset index from incoming data
offset = offsets[index]; // no check if index is valid!

Notice offset = offsets[index]? The code never checks if index is actually inside the bounds of the offsets array! So, if the server sends a really big (or negative) number, FreeRDP could try reading memory where it shouldn’t.

Crash: If the free memory is touched, the program may crash outright (Denial of Service).

- Information Leak: If the “rogue” memory has private info (like passwords or encryption keys), it could leak to the attacker.
- Potential Code Execution: Sometimes, out-of-bounds bugs can be chained with others to actually run code on your machine, but no direct exploit of this type has been published for this bug at the time of writing.

Your FreeRDP client reads an invalid memory area.

5. Crash, or leak: The attacker observes a crash, or (in some cases), manages to extract bytes from your device’s memory.

The Official Fix

The FreeRDP team fixed this in version 2.9. (October 2022).

Here’s what the code looks like *after* the fix

// New code (simplified)
index = ReadUInt16();
if(index < offsets_count) {
    offset = offsets[index];
} else {
    // Handle error! Don't read out of bounds.
}

Now, FreeRDP carefully checks that index is inside proper bounds before using it. This stops the attacker’s trick.

Download at least version 2.9. (released October 2022) or newer.

- FreeRDP releases

Check your software:

If you use a Linux remote desktop client, search their info/about page to see if they use FreeRDP; ask the maintainers for a patched version.

Use TLS and verify servers:

Only connect to trusted RDP servers; attackers must control the server (or perform a man-in-the-middle attack) to exploit this.

NO: There are no partial fixes or workarounds. You must update!

More Resources

- GitHub Advisory page: CVE-2022-39317
- FreeRDP security analysis and issue tracking
- NVD entry for CVE-2022-39317

Conclusion

CVE-2022-39317 is a classic example of how a single missing check in code can open up a big security hole—especially in networked software like remote desktop. Even though this is a technical flaw that only affects certain situations, the fix is simple: update FreeRDP or your remote desktop client as soon as possible.

If you’re a developer or sysadmin, double-check that your systems aren’t still using an old version. If you’re a regular user, ask your IT team or look for updates in your remote desktop software.

Timeline

Published on: 11/16/2022 21:15:00 UTC
Last modified on: 01/25/2023 19:56:00 UTC