CVE-2022-24883
Published: 26 April 2022
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to version 2.7.0, server side authentication against a `SAM` file might be successful for invalid credentials if the server has configured an invalid `SAM` file path. FreeRDP based clients are not affected. RDP server implementations using FreeRDP to authenticate against a `SAM` file are affected. Version 2.7.0 contains a fix for this issue. As a workaround, use custom authentication via `HashCallback` and/or ensure the `SAM` database path configured is valid and the application has file handles left.
Priority
CVSS 3 base score: 9.8
Status
Package | Release | Status |
---|---|---|
freerdp Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
upstream |
Needs triage
|
|
xenial |
Needs triage
|
|
freerdp2 Launchpad, Ubuntu, Debian |
bionic |
Released
(2.2.0+dfsg1-0ubuntu0.18.04.3)
|
focal |
Released
(2.2.0+dfsg1-0ubuntu0.20.04.3)
|
|
impish |
Released
(2.3.0+dfsg1-2ubuntu0.2)
|
|
jammy |
Released
(2.6.1+dfsg1-3ubuntu2.1)
|
|
upstream |
Released
(2.7.0+dfsg1-1)
|
|
Patches: upstream: https://github.com/FreeRDP/FreeRDP/commit/4661492e5a617199457c8074bad22f766a116cdc upstream: https://github.com/FreeRDP/FreeRDP/commit/6f473b273a4b6f0cb6aca32b95e22fd0de88e144 upstream: https://github.com/FreeRDP/FreeRDP/commit/52f3e5139f7c75258b95ac49f53b8ca49e63f1e2 (2.x) |