CVE Vulnerabilities

CVE-2020-15103

Integer Overflow to Buffer Overflow

Published: Jul 27, 2020 | Modified: Nov 07, 2023
CVSS 3.x
3.5
LOW
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
CVSS 2.x
3.5 LOW
AV:N/AC:M/Au:S/C:N/I:N/A:P
RedHat/V2
RedHat/V3
3.5 MODERATE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
Ubuntu
MEDIUM

In FreeRDP less than or equal to 2.1.2, an integer overflow exists due to missing input sanitation in rdpegfx channel. All FreeRDP clients are affected. The input rectangles from the server are not checked against local surface coordinates and blindly accepted. A malicious server can send data that will crash the client later on (invalid length arguments to a memcpy) This has been fixed in 2.2.0. As a workaround, stop using command line arguments /gfx, /gfx-h264 and /network:auto

Weakness

The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.

Affected Software

Name Vendor Start Version End Version
Freerdp Freerdp * 2.1.2 (including)
Freerdp Ubuntu bionic *
Freerdp Ubuntu trusty *
Freerdp Ubuntu xenial *
Freerdp2 Ubuntu bionic *
Freerdp2 Ubuntu focal *
Freerdp2 Ubuntu trusty *
Red Hat Enterprise Linux 8 RedHat freerdp-2:2.2.0-1.el8 *

References