CVE-2020-11047 - Out-of-bounds Read

Severity

75%

Complexity

39%

Confidentiality

60%

In FreeRDP after 1.1 and before 2.0.0, there is an out-of-bounds read in autodetect_recv_bandwidth_measure_results. A malicious server can extract up to 8 bytes of client memory with a manipulated message by providing a short input and reading the measurement result data. This has been patched in 2.0.0.

In FreeRDP after 1.1 and before 2.0.0, there is an out-of-bounds read in autodetect_recv_bandwidth_measure_results. A malicious server can extract up to 8 bytes of client memory with a manipulated message by providing a short input and reading the measurement result data. This has been patched in 2.0.0.

CVSS 3.1 Base Score 7.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

CVSS 2.0 Base Score 5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N).

CVSS 3.1 Base Score 5.9. CVSS Attack Vector: network. CVSS Attack Complexity: high. CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).

CVSS 2.0 Base Score 4.9. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:P).

Demo Examples

Out-of-bounds Read

CWE-125

In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method


               
}

                     
return value;// check that the array index is less than the maximum// length of the array

                           
value = array[index];// get the value at the specified index of the array
// if array index is invalid then output error message// and return value indicating error
value = -1;

However, this method only verifies that the given array index is less than the maximum length of the array but does not check for the minimum value (CWE-839). This will allow a negative value to be accepted as the input array index, which will result in a out of bounds read (CWE-125) and may allow access to sensitive memory. The input array index should be checked to verify that is within the maximum and minimum range required for the array (CWE-129). In this example the if statement should be modified to include a minimum range check, as shown below.


               
...// check that the array index is within the correct// range of values for the array

Overview

Type

Canonical Ubuntu Linux

First reported 4 years ago

2020-05-07 20:15:00

Last updated 4 years ago

2020-06-09 14:26:00

Affected Software

Canonical Ubuntu Linux 18.04 LTS Edition

18.04

Canonical Ubuntu Linux 19.10

19.10

Canonical Ubuntu Linux 20.04 LTS Edition

20.04

References

https://github.com/FreeRDP/FreeRDP/commit/f5e73cc7c9cd973b516a618da877c87b80950b65

https://github.com/FreeRDP/FreeRDP/issues/6009

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9fw6-m2q8-h5pw

https://github.com/FreeRDP/FreeRDP/commit/f5e73cc7c9cd973b516a618da877c87b80950b65

Patch, Third Party Advisory

https://github.com/FreeRDP/FreeRDP/issues/6009

Exploit, Third Party Advisory

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9fw6-m2q8-h5pw

Third Party Advisory

USN-4379-1

USN-4379-1

Third Party Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.