Bmiklautz

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 2.9.0 **Description** The issue is related to insufficient input validation in the `urbdrc` channel of the FreeRDP remote desktop protocol implementation, which can lead to a division by zero error. This can be exploited by a remote attacker to cause a denial of service by crashing the client. A malicious server can trick a FreeRDP-based client into crashing with a division by zero error. **Recommendations** For versions prior to 2.9.0, upgrade to version 2.9.0 to address the issue. If an upgrade is not possible, do not use the `/usb` redirection switch as a temporary workaround to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 2.9.0 **Description** The issue is related to a lack of input length validation in the `drive` channel of the FreeRDP protocol implementation. This can be exploited by a malicious server to trick a FreeRDP-based client into reading out of bound data and sending it back to the server, potentially allowing unauthorized access to protected information or causing a denial of service. The vulnerability can be exploited by sending data back to the server using command line options `/drive`, `+drives`, or `+home-drive`. **Recommendations** For versions prior to 2.9.0, upgrade to version 2.9.0 or later to address the issue. As a temporary workaround for users unable to upgrade, do not use the drive redirection channel - command line options `/drive`, `+drives`, or `+home-drive`.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 2.9.0 **Description** The issue is related to the missing path canonicalization and base path check for the `drive` channel in FreeRDP, allowing a malicious server to trick a FreeRDP-based client into reading files outside the shared directory. This can enable a remote attacker to gain unauthorized access to protected information. Users unable to upgrade should avoid using the `/drive`, `/drives`, or `+home-drive` redirection switch to minimize the risk. **Recommendations** For versions prior to 2.9.0, upgrade to version 2.9.0 or later to address the issue. As a temporary workaround, consider not using the `/drive`, `/drives`, or `+home-drive` redirection switch until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 2.2.0 **Description** The issue is related to an integer overflow in the rdpegfx channel due to missing input sanitation. This allows a malicious server to send data that can crash the client later on by providing invalid length arguments to a `memcpy` function. All FreeRDP clients are affected. The vulnerability can be exploited by a remote attacker to cause a denial of service. **Recommendations** For versions prior to 2.2.0, as a temporary workaround, consider stopping the use of command line arguments /gfx, /gfx-h264, and /network:auto until a patch is available. Update to version 2.2.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions 2.0.0 and earlier **Description** The issue is related to an out-of-bound read in the `ntlm read NegotiateMessage` function. This has been fixed in version 2.1.0. **Recommendations** For FreeRDP versions 2.0.0 and earlier, update to version 2.1.0 to resolve the issue. As a temporary workaround, consider restricting access to the `ntlm read NegotiateMessage` function until the update is applied.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions 2.0.0 and earlier **Description** The issue is related to an out-of-bound read in the `ntlm read AuthenticateMessage` function. This has been fixed in version 2.1.0. **Recommendations** For FreeRDP versions 2.0.0 and earlier, update to version 2.1.0 to resolve the issue. As a temporary workaround, consider restricting access to the `ntlm read AuthenticateMessage` function until the update is applied.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions 2.0.0 and earlier **Description** The issue is related to a double free condition error in the FreeRDP protocol implementation. By providing manipulated input, a malicious client can create this condition, potentially allowing a remote attacker to cause a denial of service, crashing the server. **Recommendations** For FreeRDP versions 2.0.0 and earlier, update to version 2.1.0 to resolve the issue. As a temporary workaround, consider restricting access to the server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 2.1.0 **Description** The issue is related to an out-of-bounds read in the `cliprdr read format list` function. This can cause the clipboard format data to be read out-of-bounds, potentially by either the client or the server. **Recommendations** For versions prior to 2.1.0, update to version 2.1.0 to resolve the issue. As a temporary workaround, consider restricting access to the `cliprdr read format list` function until the update can be applied.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions 2.0.0 and earlier **Description** A possible resource exhaustion issue exists due to out of bound reads, potentially allowing malicious clients to trigger memory allocation with random size, leading to a denial of service. This issue has been fixed in version 2.1.0. **Recommendations** For FreeRDP versions 2.0.0 and earlier, update to version 2.1.0 to resolve the issue. As a temporary workaround, consider restricting access to the FreeRDP service until the update can be applied.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions 1.0 through 2.0.0-rc4 **Description** The issue is related to an out-of-bounds read in the `libfreerdp/gdi/gdi.c` file of FreeRDP. This can potentially allow a remote attacker to gain unauthorized access to protected information. **Recommendations** For versions 1.0 through 2.0.0-rc4, consider updating to a version that contains a fix for this issue, as the current version has an out-of-bounds read that can be exploited. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions > 1.0 through 2.0.0-rc4 **Description** The issue is related to an out-of-bounds write operation in the memory buffer of the FreeRDP client. This can be exploited by a remote attacker to cause a denial of service. The problem is specifically located in the `libfreerdp/codec/interleaved.c` file. **Recommendations** For FreeRDP versions > 1.0 through 2.0.0-rc4, consider disabling the affected `interleaved.c` codec until a patch is available to prevent potential exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions > 1.0 through 2.0.0-rc4 **Description** The issue is caused by an integer overflow in the `update recv order` function of the FreeRDP RDP client, which can allow a remote attacker to gain unauthorized access to protected information. **Recommendations** For FreeRDP versions > 1.0 through 2.0.0-rc4, consider updating to a version that fixes the integer overflow issue in the `libfreerdp/gdi/region.c` file. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions less than or equal to 2.0.0 **Description** The issue arises from an outside controlled array index being used unchecked for data used as configuration for the sound backend, such as alsa, oss, or pulse. This could lead to a crash of the client instance, resulting in no or distorted sound, or a session disconnect. **Recommendations** For versions less than or equal to 2.0.0, update to version 2.1.0 to resolve the issue. As a temporary workaround for users who cannot upgrade to the patched version, consider disabling sound for the session to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions 1.1 through 1.9 **Description** The issue involves an out-of-bound read of client memory that is then passed on to the protocol parser. This has been patched in version 2.0.0. **Recommendations** For versions 1.1 through 1.9, update to version 2.0.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions 1.1 through 1.9 **Description** A stream out-of-bounds seek in `rdp read font capability set` could lead to a later out-of-bounds read. As a result, a manipulated client or server might force a disconnect due to an invalid data read. **Recommendations** For FreeRDP versions 1.1 through 1.9, update to version 2.0.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 2.1.0 **Description** The issue is caused by an integer overflow in the implementation of the FreeRDP protocol, allowing a remote attacker to impact the confidentiality and integrity of protected information. When using a manipulated server with USB redirection enabled, nearly arbitrary memory can be read and written due to integer overflows in length checks. **Recommendations** For versions prior to 2.1.0, update to version 2.1.0 or later to resolve the issue. As a temporary workaround, consider disabling USB redirection until a patch is available. Restrict access to the vulnerable `FreeRDP` protocol to minimize the risk of exploitation. Avoid using the vulnerable `length checks` function in the affected `FreeRDP` protocol until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 2.1.0 **Description** The issue is caused by an integer overflow in size calculation when using /video redirection, allowing a manipulated server to instruct the client to allocate a buffer with a smaller size than requested. The server can then manipulate the client to write data out of bounds to the previously allocated buffer. This can potentially impact the confidentiality, integrity, and availability of protected information. **Recommendations** For FreeRDP versions prior to 2.1.0, update to version 2.1.0 or later to resolve the issue. As a temporary workaround, consider disabling the /video redirection feature until a patch is available. Restrict access to the vulnerable client to minimize the risk of exploitation. Avoid using the affected /video redirection functionality in the client until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 2.1.0 **Description** The issue is related to an out-of-bounds read in the `rfx process message tileset` function of the FreeRDP implementation of the remote desktop protocol. This can be exploited by a remote attacker to cause a denial of service. Invalid data fed to the RFX decoder results in garbage on the screen, such as random colors. **Recommendations** For FreeRDP versions prior to 2.1.0, update to version 2.1.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `rfx process message tileset` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions 2.0.0 and earlier **Description** The issue is related to an out-of-bound data read from memory in the `clear decompress subcode rlex` function, which can be visualized on screen as color. This can potentially allow a remote attacker to cause a denial of service. **Recommendations** For FreeRDP versions 2.0.0 and earlier, update to version 2.1.0 to resolve the issue. As a temporary workaround, consider restricting access to the `clear decompress subcode rlex` function until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 2.1.0 **Description** The issue is caused by a read of an invalid array index when FreeRDP is run with the logger set to "WLOG TRACE". This could lead to a possible application crash, and data could be printed as a string to a local terminal. The problem arises due to an out-of-bounds buffer read. **Recommendations** For FreeRDP versions prior to 2.1.0, update to version 2.1.0 to resolve the issue. As a temporary workaround, consider avoiding the use of the "WLOG TRACE" logger setting until the update is applied.