FreeRDP is an open-source software library that implements the Remote Desktop Protocol (RDP) widely used in various client-server and remote access applications. A newly discovered critical vulnerability, identified as CVE-2022-39319, can potentially be exploited by malicious servers to read out-of-bound data from FreeRDP clients. This article aims to provide an in-depth look into this vulnerability, its root cause, exploitation details, and how to address the issue.

Affected Versions

The vulnerability affects FreeRDP versions prior to version 2.9.. Users of the affected versions are advised to upgrade to the latest version or apply the appropriate mitigation steps mentioned later in this article.

Root Cause and Exploitation Details

The input-length validation in the urbdrc channel of FreeRDP is missing, which can lead to reading out-of-bound data. The urbdrc channel is used for handling the USB redirection (/usb). A malicious server can exploit this vulnerability by persuading a victim to use a FreeRDP-based client to connect to it. Once connected, the server can trigger the victim's client to read unauthorized data and send it back to the server.

Here's a simplified code snippet from the affected part within the FreeRDP library

UINT urbdrc_process_channel_data(IWTSVirtualChannelCallback* pChannelCallback, wStream* data)
{
    UINT32 channelId;
    UINT32 dataLen;
    BYTE* pBuffer;
    // ...
    Stream_Read_UINT32(data, channelId);
    Stream_Read_UINT32(data, dataLen);
    pBuffer = Stream_Pointer(data);
    // Process data buffer without proper length validation
    // ...
}

In the code above, dataLen is read directly from the input stream without proper validation. The server can send a crafted message containing an incorrect length that can cause the client to read out-of-bound data.

Mitigation

To address this issue, FreeRDP has released version 2.9., which includes the necessary input length validation in the urbdrc channel. It is highly recommended to upgrade to FreeRDP 2.9. or later to protect against the exploitation of this vulnerability. Here's the link to the latest release:

FreeRDP 2.9. Release

For users who cannot upgrade to the new version, the following mitigation should be applied

- Do not use the /usb redirection switch when connecting to an untrusted or unknown RDP server. This will disable the affected urbdrc channel, reducing the attack surface and impact of the vulnerability.

Conclusion

CVE-2022-39319 is a critical vulnerability found in FreeRDP's urbdrc channel, which can potentially enable a malicious server to read out-of-bound data from FreeRDP clients. Users are urged to upgrade to FreeRDP 2.9. or apply the recommended mitigation steps to avoid exploitation. Staying vigilant in identifying and addressing security issues is crucial for maintaining the integrity and confidentiality of computer systems and networks.

Timeline

Published on: 11/16/2022 21:15:00 UTC
Last modified on: 11/18/2022 18:57:00 UTC