Akallabeth

Name of the Vulnerable Software and Affected Versions: FreeRDP versions prior to 3.5.1 Description: The issue is related to a null pointer dereference. Exploitation of this issue may allow a remote attacker to cause a denial of service. FreeRDP is a free implementation of the Remote Desktop Protocol. The issue is associated with a possible `NULL` access and crash. Recommendations: For versions prior to 3.5.1, update to version 3.5.1, which contains a patch for the issue. As a temporary workaround, consider restricting the use of the RDP client until a patch is applied. No other workarounds are available.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 2.9.0 **Description** The issue is related to an out of bound read in the ZGFX decoder component of FreeRDP. A malicious server can trick a FreeRDP based client to read out of bound data and try to decode it, likely resulting in a crash. The vulnerability can be exploited by a remote attacker to cause a denial of service. **Recommendations** For versions prior to 2.9.0, upgrade to version 2.9.0 or later to address the issue. As a temporary workaround, consider restricting access to the ZGFX decoder component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 2.9.0 **Description** The issue is related to missing input length validation in the `urbdrc` channel of the FreeRDP library. A malicious server can exploit this to trick a FreeRDP-based client into reading out-of-bound data and sending it back to the server. This could allow an attacker to gain unauthorized access to protected information or cause a denial of service. **Recommendations** For versions prior to 2.9.0, upgrade to version 2.9.0 or later to address the issue. As a temporary workaround for users unable to upgrade, do not use the `/usb` redirection switch to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 2.7.0 **Description** The issue is related to the implementation of the NTLM protocol in the FreeRDP RDP client, which is associated with shortcomings in the authentication procedure. This can allow a remote attacker to disclose protected information when an empty password value is provided. The vulnerability affects FreeRDP-based RDP Server implementations, but RDP clients are not affected. **Recommendations** For versions prior to 2.7.0, update to FreeRDP 2.7.0 to resolve the issue. As a temporary workaround, consider restricting access to the NTLM authentication mechanism until a patch is available.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 2.7.0 **Description** The issue is related to the authentication procedure in FreeRDP, a free implementation of the Remote Desktop Protocol (RDP). Server-side authentication against a `SAM` file might be successful for invalid credentials if the server has configured an invalid `SAM` file path. This affects RDP server implementations using FreeRDP to authenticate against a `SAM` file, but FreeRDP-based clients are not affected. **Recommendations** For versions prior to 2.7.0, update to version 2.7.0 to resolve the issue. As a temporary workaround, consider using custom authentication via `HashCallback` and/or ensure the `SAM` database path configured is valid and the application has file handles left.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 2.4.1 **Description** The issue is related to out of bound writes in a connected client. A malicious server might trigger this by sending `0` width/height or out of bound rectangles to the client using GDI or SurfaceCommands for graphics updates. This results in missing bounds checks, allowing writes to unallocated memory regions. **Recommendations** For versions prior to 2.4.1, update to FreeRDP 2.4.1 to resolve the issue. As a temporary workaround, consider restricting access to GDI or SurfaceCommands until the update is applied. Avoid using connections with `0` width/height or out of bound rectangles in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 2.1.2 **Description** The issue is related to a use-after-free error in the gdi SelectObject component of the FreeRDP protocol implementation. This error occurs when memory is accessed after it has been freed. Exploitation of this issue could allow a remote attacker to cause a denial of service. All FreeRDP clients using compatibility mode with the /relax-order-checks option are affected. **Recommendations** For FreeRDP versions prior to 2.1.2, update to version 2.1.2 to resolve the issue. As a temporary workaround, consider disabling the compatibility mode with /relax-order-checks to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to the commit with ID 205c612820dac644d665b5bb1cdf437dc5ca01e3 **Description** The issue allows an RDP server to read the client's memory. This can occur when the client connects to the RDP server with the `echo` option. The vulnerability is located in the `drdynvc process capability request` function in the `channels/drdynvc/client/drdynvc main.c` file. **Recommendations** To resolve the issue, update FreeRDP to a version after the commit with ID 205c612820dac644d665b5bb1cdf437dc5ca01e3. As a temporary workaround, consider avoiding the use of the `echo` option when connecting to RDP servers until a patch is available. Restrict access to the `drdynvc process capability request` function in the `drdynvc main.c` file to minimize the risk of exploitation.