Bug 30392 - freerdp new security issues CVE-2022-2488[23]
Summary: freerdp new security issues CVE-2022-2488[23]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-05-07 21:46 CEST by David Walser
Modified: 2022-10-24 00:49 CEST (History)
4 users (show)

See Also:
Source RPM: freerdp-2.2.0-1.1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-05-07 21:46:18 CEST
Fedora has issued an advisory today (May 7):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AELSWWBAM2YONRPGLWVDY6UNTLJERJYL/

The issues are fixed upstream in 2.7.0.
David Walser 2022-05-07 21:46:34 CEST

Status comment: (none) => Fixed upstream in 2.7.0

Comment 1 Lewis Smith 2022-05-09 21:58:44 CEST
We recently have 2.7.0 in Cauldron, done by tv. Assigning to you because you have done the most recent updates to freerdp; despite DavidG being the registered maintainer, but no activity by him on this for more than a year.

Assignee: bugsquad => thierry.vignaud

Comment 2 David Walser 2022-06-08 18:45:59 CEST
Ubuntu has issued an advisory for this on June 6:
https://ubuntu.com/security/notices/USN-5461-1
Comment 3 David Walser 2022-07-11 19:36:09 CEST
openSUSE has issued an advisory for this today (July 11):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3XAZEK5W555DLYFBAHQKYWZRJ4CADMBX/
Comment 4 Nicolas Salguero 2022-10-19 15:46:10 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). In versions prior to 2.7.0, NT LAN Manager (NTLM) authentication does not properly abort when someone provides and empty password value. This issue affects FreeRDP based RDP Server implementations. RDP clients are not affected. The vulnerability is patched in FreeRDP 2.7.0. There are currently no known workarounds. (CVE-2022-24882)

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to version 2.7.0, server side authentication against a `SAM` file might be successful for invalid credentials if the server has configured an invalid `SAM` file path. FreeRDP based clients are not affected. RDP server implementations using FreeRDP to authenticate against a `SAM` file are affected. Version 2.7.0 contains a fix for this issue. As a workaround, use custom authentication via `HashCallback` and/or ensure the `SAM` database path configured is valid and the application has file handles left. (CVE-2022-24883)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24882
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24883
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AELSWWBAM2YONRPGLWVDY6UNTLJERJYL/
https://ubuntu.com/security/notices/USN-5461-1
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3XAZEK5W555DLYFBAHQKYWZRJ4CADMBX/
========================

Updated packages in core/updates_testing:
========================
freerdp-2.2.0-1.2.mga8
lib(64)freerdp2-2.2.0-1.2.mga8
lib(64)freerdp-devel-2.2.0-1.2.mga8

from SRPM:
freerdp-2.2.0-1.2.mga8.src.rpm

CC: (none) => nicolas.salguero
Assignee: thierry.vignaud => qa-bugs
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 2.7.0 => (none)

Comment 5 Brian Rockwell 2022-10-20 19:37:47 CEST
GNOME client, Plasma using VBox

The following 2 packages are going to be installed:

- freerdp-2.2.0-1.2.mga8.x86_64
- lib64freerdp2-2.2.0-1.2.mga8.x86_64

88B of additional disk space will be used.


xfreerdp /size:1200x750 
xfreerdp /f

Neither parameter is working to expand the screen.

sending feedback

Whiteboard: (none) => feedback
CC: (none) => brtians1

Comment 6 David Walser 2022-10-20 23:36:33 CEST
Is this a regression?
Comment 7 Brian Rockwell 2022-10-21 01:28:09 CEST
nope - guess not.  

Same issue on prior version and on Xfce.  So it works as it did before.

removing feedback.

Whiteboard: feedback => (none)

Comment 8 Dave Hodgins 2022-10-21 01:36:02 CEST
I'm not sure if it's supposed to allow mouse/keyboard interaction with the
remote system or just to view the remote desktop.

On my rp4 system ...
[dave@rp4 ~]$ freerdp-shadow-cli /port:3984 /monitors:0

On my main system ...
[dave@x3 ~]$ xfreerdp /v:rp4.hodgins.homeip.net:3984 -u:dave -p:<munged>

I can view the rp4 desktop, but with no mouse or keyboard impact on it as I
have with vncviewer, likely due to my lack of knowledge.

These are not regressions as I have the same with either the testing version
or the prior version.

Validating the update as I think this is ok.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 9 Brian Rockwell 2022-10-21 01:41:54 CEST
mouse and keys work on my systems.  

I'm good with validating.
Comment 10 Dave Hodgins 2022-10-21 02:11:29 CEST
What parameters did you use to enable the mouse/keyboard?
Comment 11 Brian Rockwell 2022-10-21 15:46:45 CEST
It just worked.  I did use xfreerdp /f  <ip:port>
Comment 12 Dave Hodgins 2022-10-23 23:33:24 CEST
I'm using synergy between the two systems as well as sshfs, so it's likely
something in my configurations that's interfering. As it's working for Brian
and not a regression for me, I agree with the validation.

Committing the advisory to svn.

Keywords: (none) => advisory

Comment 13 Mageia Robot 2022-10-24 00:49:46 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0383.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.