Bug 21448 - freerdp new security issues CVE-2017-283[4-9]
Summary: freerdp new security issues CVE-2017-283[4-9]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-64-OK MGA5-32-OK
Keywords: advisory, validated_update
Depends on: 21427
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-04 22:45 CEST by David Walser
Modified: 2017-12-31 01:11 CET (History)
2 users (show)

See Also:
Source RPM: freerdp-1.0.2-5.1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-08-04 22:45:04 CEST
+++ This bug was initially created as a clone of Bug #21427 +++

Fedora has issued an advisory today (July 31):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JNO6AUPEMWZQNGI7PEVPRUZD3OFNCQ4R/

Here's the Talos advisory:
http://blog.talosintelligence.com/2017/07/vulnerbility-spotlight-freerdp-multiple.html

The RedHat bugs have links to the upstream commits to fix the issues.

Debian has issued an advisory for this on August 1:
https://www.debian.org/security/2017/dsa-3923

Mageia 5 may be affected, and we may be able to get patches from Debian.
Comment 1 David Walser 2017-12-29 23:37:14 CET
Advisory:
========================

Updated freerdp packages fix security vulnerabilities:

An exploitable code execution vulnerability exists in the authentication
functionality of FreeRDP 2.0.0-beta1+android11. A specially crafted server
response can cause an out-of-bounds write resulting in an exploitable
condition. An attacker can compromise the server or use a man in the middle
attack to trigger this vulnerability (CVE-2017-2834).

An exploitable code execution vulnerability exists in the RDP receive
functionality of FreeRDP 2.0.0-beta1+android11. A specially crafted server
response can cause an out-of-bounds write resulting in an exploitable
condition. An attacker can compromise the server or use a man in the middle to
trigger this vulnerability (CVE-2017-2835).

An exploitable denial of service vulnerability exists within the reading of
proprietary server certificates in FreeRDP 2.0.0-beta1+android11. A specially
crafted challenge packet can cause the program termination leading to a denial
of service condition. An attacker can compromise the server or use man in the
middle to trigger this vulnerability (CVE-2017-2836).

An exploitable denial of service vulnerability exists within the handling of
security data in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge
packet can cause the program termination leading to a denial of service
condition. An attacker can compromise the server or use man in the middle to
trigger this vulnerability (CVE-2017-2837).

An exploitable denial of service vulnerability exists within the handling of
challenge packets in FreeRDP 2.0.0-beta1+android11. A specially crafted
challenge packet can cause the program termination leading to a denial of
service condition. An attacker can compromise the server or use man in the
middle to trigger this vulnerability (CVE-2017-2838, CVE-2017-2839).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2834
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2835
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2836
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2837
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2838
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2839
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0336
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0337
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0338
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0339
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0340
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0341
http://blog.talosintelligence.com/2017/07/vulnerbility-spotlight-freerdp-multiple.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JNO6AUPEMWZQNGI7PEVPRUZD3OFNCQ4R/
https://www.debian.org/security/2017/dsa-3923
========================

Updated packages in core/updates_testing:
========================
freerdp-1.0.2-5.2.mga5
libfreerdp1-1.0.2-5.2.mga5
libfreerdp-devel-1.0.2-5.2.mga5

from freerdp-1.0.2-5.2.mga5.src.rpm

Assignee: geiger.david68210 => qa-bugs

Comment 2 Lewis Smith 2017-12-30 16:19:05 CET
This one is not so simple. See:
 https://bugs.mageia.org/show_bug.cgi?id=13444  comments 5 & 8.
 https://bugs.mageia.org/show_bug.cgi?id=19482  comments 16-17

CC: (none) => lewyssmith

Comment 3 David Walser 2017-12-30 16:23:56 CET
Actually it should be pretty simple.  It's just like the xrdp update we just tested, except this is for the client side.  I advised using rdesktop as the client to test in the xrdp bug, but freerdp is another client that is just as valid.  For the server side, you can test it against a Mageia machine running xrdp or a Windows machine with RDP enabled.
Lewis Smith 2017-12-30 20:11:04 CET

CC: lewyssmith => (none)
Keywords: (none) => advisory

Comment 4 Len Lawrence 2017-12-30 20:42:17 CET
Having a go at this on mga5 64-bit.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2017-12-30 21:24:23 CET
First problem.  Where is xrdp?  I used it lately but now I cannot find how to install it.  Intending to set it up on the server side but madb cannot find an rpm for it.
Comment 6 Len Lawrence 2017-12-30 21:33:04 CET
Cancel that.  I found a machine with xrdp already installed and set it running.
However, it would be handy to know how to install it for future reference.
$ urpmq --whatprovides xrdp
No package named xrdp

??
Comment 7 Len Lawrence 2017-12-30 21:49:42 CET
After updating xfreerdp it was possible to login to another machine and display a 1920x1200 desktop window.  The desktop was fully functional but firefox had to be closed on the server side before it could be launched as a startup application.  Composing this in the remote desktop window.

Since cut&paste does not work I had to use scp on the client to export the following text to the remote desktop.

Ports 3389/tcp, 3389/udp enabled at both ends.  Saw that port number somewhere and added UDP in case.

$ xfreerdp -T "Alienware X51" -g 1920x1200 belexeuli
connected to belexeuli:3389
creating directory /home/lcl/.freerdp/certs
unknown capability type 6
incorrect offset, type:0x06 actual:4 expected:5

Hoping this is sufficient to pass the update I am adding the 64-bit OK.

Whiteboard: (none) => MGA5-64-OK

Comment 8 David Walser 2017-12-30 22:03:16 CET
xrdp isn't in Mageia 5, that's why you don't find it there.
Comment 9 Len Lawrence 2017-12-30 22:33:34 CET
Thanks David.  That rings a bell.  I tried to build it locally for some forgotten bug, and failed.  The server side in the test above is Mageia 6.

Installed and updated freerdp in a Mageia 5 i586 virtualbox on a Mageia 6 system called vega.
In the vbox:
$ xfreerdp -T "Alienware X51" -g 1280x1024 belexeuli

That worked fine, window title as above.  The desktop functioned perfectly.  Double-clicking on a desktop icon for an NFS share brought up the file manager.  gkrellm was displaying local activities.  User written applications represented by icons in the Mate panel could be launched and ran properly.  One accessed a collection of movies and TV programmes hosted on vega, the host machine for the vbox and launched pavucontrol and vlc to play a menu selection.  That also worked fine, albeit at a very slow framerate.  If xfreerdp can handle such a three-way transaction then it definitely deserves a pass.

Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK

Len Lawrence 2017-12-30 22:35:38 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2017-12-31 01:11:15 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0475.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.