CVE-2022-39347 FreeRDP is a library and clients for remote desktop protocol. They're missing path canonicalization and base path checking for the `drive` channel.

If you use any of these redirection switches make sure that the files you share are outside the document root. When you share a file that is located inside the document root it will be served from the root directory. The server will not sanitize the redirection request thus it will be vulnerable. Additionally, please update the server configuration to avoid serving files from the root directory. Affected versions of FreeRDP are vulnerable to directory traversal (CVE-2018-10933) due to lack of path canonicalization. A malicious server can trick a FreeRDP based client to read files outside the shared directory. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the `/drive`, `/drives` or `+home-drive` redirection switch.

FreeRDP 2.9.0 and Later

FreeRDP 2.9.0 and later address the preceding issues that allow a malicious server to serve files outside the shared directory, even when permission is not granted to do so. If you are using any of these redirection switches make sure that the documents your share are outside the document root before opening them.

FreeRDP 2.9.0 and Earlier

Are Vulnerable
FreeRDP 2.9.0 and earlier are vulnerable to directory traversal as a result of poor path canonicalization (CVE-2018-10933). A malicious server can trick a FreeRDP based client to read files outside the shared directory. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the `/drive`, `/drives` or `+home-drive` redirection switch.

FreeRDP Vulnerability Bypass

FreeRDP is a remote desktop protocol that provides support for Windows and Linux desktops. It can run on any operating system with a TCP/IP stack. FreeRDP has been deprecated in favor of RDP (Remote Desktop Protocol) due to security concerns, but it remains active for backward compatibility reasons.
On 2018-06-30, researcher Tsutomu Nishimura announced that the FreeRDP server implementations are vulnerable to directory traversal attacks and should be considered deprecated. The FreeRDP server implementations do not perform path canonicalization and therefor could be tricked into reading files from outside the shared directory.

FreeRDP version and affected configurations

FreeRDP 2.9.0, 2.8.5, and 2.7.2 have been released to address these vulnerabilities. FreeRDP is an implementation of the Real-time Transport Protocol (RTP) for Microsoft Windows operating systems that includes a client and server application made by the same developer of rdesktop called FreeRDC++.
The vulnerabilities in FreeRDP were addressed by updating the code to avoid directory traversal attacks on vulnerable versions of FreeRDP and by restricting access to certain configuration files in a version update via "config security".

Timeline

Published on: 11/16/2022 20:15:00 UTC
Last modified on: 11/18/2022 21:13:00 UTC

References

• https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c5xq-8v35-pffg
• https://github.com/FreeRDP/FreeRDP/commit/027424c2c6c0991cb9c22f9511478229c9b17e5d
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39347