CVE-2024-32039 - Critical Integer Overflow in FreeRDP – How It Works, Exploitation, and How to Stay Safe

FreeRDP is a widely-used, open-source Remote Desktop Protocol (RDP) client found in many Linux systems, thin clients, and remote administration setups. In early 2024, CVE-2024-32039 was discovered in FreeRDP, exposing a critical vulnerability that could let attackers gain control over affected systems. This post will break down how the bug works, why it’s dangerous, and what you can do about it.

What is CVE-2024-32039?

CVE-2024-32039 describes an integer overflow leading to out-of-bounds writes in FreeRDP before versions 3.5. or 2.11.6. If exploited, an attacker could run code on a client machine merely by getting a user to connect to a malicious RDP server.

The issue happens during processing of the GFX (graphics pipeline) channel, commonly used for high-performance desktop remoting.

*Most* clients are affected because the vulnerable GFX pipeline is enabled by default

No need for credentials or auth bypass

Technical Deep Dive: The Vulnerability

When parsing RDP GFX data or certain bitmap packets, FreeRDP must allocate memory for graphics surfaces or decompress image data. The vulnerable code didn’t properly check if calculations would overflow 32-bit or 64-bit arithmetic. If a server sends carefully crafted values, the result can “wrap around” in a way that makes FreeRDP allocate a buffer that’s too small. Data is then written past the end of this short buffer — the classic setup for RCE.

Code Walkthrough

Below is a simplified and annotated version of the affected code area (this is *not* the real code, just a comparable illustration):

// Pseudocode for vulnerable allocation in GFX pipeline
UINT32 width = packet->width;     // Value sent by the server
UINT32 height = packet->height;   // Value sent by the server
UINT32 bpp = 32;                  // 32 bits per pixel, hardcoded or negotiated

UINT32 bytes_per_row = width * (bpp / 8);
// * Bug: No check for overflow on multiplication *
UINT32 total_bytes = height * bytes_per_row;
// * Bug: No check for overflow on multiplication *

BYTE* buffer = malloc(total_bytes);
// ... then, use buffer as if it's 'width * height * 4' bytes

// If attacker uses huge width/height, total_bytes wraps around,
// buffer is too small, and writes corrupt memory!

With big enough width and height, those multiplications can overflow, making the buffer very small, and allowing out-of-bounds writes that attackers can exploit.

CVE Reference:
- NVD CVE-2024-32039
- Official FreeRDP advisory (replace with actual link once public)
- Commit patching the bug (Github) (forthcoming; reference when available)

Exploitation Example

Attackers can set up a malicious RDP server using tools like xrdp or even custom open-source code, and lure victims with FreeRDP clients to connect. Sending a bitmap cache packet or GFX surface like this can trigger the overflow:

# Pseudocode for an evil packet (crafted for exploit)
width = xFFFFFFF    # very large width
height = xFFFFFFF   # very large height
bpp = 32

# This value causes the length calculation to wrap to a tiny value
# but FreeRDP will still write width * height * 4 worth of data!

A real-world exploit may chain this bug with heap-spraying and ROP gadgets to get remote code execution.

One PoC (not public, but based on advisories) just crafts a GFX_SURFACE command with big fields. Anyone connecting with a vulnerable xfreerdp or its wrappers is instantly compromised.

Upgrade immediately to

- FreeRDP 3.5. (latest main branch as of May 2024) — Download
- FreeRDP 2.11.6 (LTS/older series) — Download

If you use packages maintained by your OS vendor (like Debian, Ubuntu, Fedora), check for security updates (apt upgrade, dnf upgrade, etc.).

- Disable advanced graphics (/gfx), or set safe display options

When launching xfreerdp, do NOT enable /gfx, /rfx, or advanced codecs. These are on by default.

Safe command

xfreerdp /v:target.server.local /bpp:32

or

xfreerdp /v:target.server.local /rfx

But be aware: /rfx may also be vulnerable depending on defaults. Best is to upgrade.

Block untrusted servers

Never connect to unknown or suspicious RDP servers. Attackers must control the server to exploit the bug.

Check your FreeRDP version

xfreerdp --version  
# Output should be >= 3.5., or >= 2.11.6 for LTS

If your distro doesn’t have these, either build from source or ask your OS vendor for the security update.

Summary Table

| Version | Vulnerable? | Patch? | Workarounds |
|-------------------|-------------|------------|------------------------|
| < 2.11.6 | YES | NO | Disable /gfx |
| = 2.11.6 | NO | YES | N/A |
| < 3.5. | YES | NO | Disable /gfx |
| = 3.5. | NO | YES | N/A |

Final Thoughts

This kind of bug in a core protocol client like FreeRDP is extremely dangerous — it allows invisible attacks from any server. Make sure you’re on a patched version, or at least disable all advanced bitmap and graphics features until you upgrade.

Stay safe, and check the following links for more technical references and official updates!

- NVD CVE-2024-32039
- FreeRDP Advisories (GitHub)
- FreeRDP Releases and Changelog

Timeline

Published on: 04/22/2024 21:15:49 UTC
Last modified on: 06/10/2024 18:15:32 UTC