June 17, 2020

GHSL-2020-101: NULL dereference in FreeRDP FIPS routines - CVE-2020-13397

Antonio Morales

Summary

A NULL dereference vulnerability has been detected in FreeRDP's security_fips_decrypt routine due to use of uninitialized pointer values. This issue has been addressed in FreeRDP 2.1.1.

Product

FreeRDP

Tested Version

Development version - master branch (May 18, 2020)

Details: NULL dereference in security_fips_decrypt

It is possible for a malicious FreeRDP server to confuse FreeRDP client state and make it enter Federal Information Processing Standard (FIPS) specific program logic at a point where the client session context has not been properly initialized for FIPS use.

More specifically, if a FreeRDP server claims ENCRYPTION_METHOD_FIPS (0x00000010) for a FreeRDP client session that expects to be operating under a Network Layer Authentication (NLA) Security session context, the client may be tricked into following FIPS specific code paths based on session state checks such as:

libfreerdp/core/rdp.c:
...
 if (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS)
...

Which are directly controlled by remote input from the FreeRDP server into the serverEncryptionmethod variable, e.g.:

libfreerdp/core/gcc.c:
...
( Stream_Read_UINT32(s, serverEncryptionMethod))
...

As a result the security_fips_decrypt function may be called at a point where the rdp structure contains an uninitialized rdp->fips_decrypt pointer value. Since the rdp structure itself is allocated through calloc it is initialized with zeroed memory, thus resulting in a NULL pointer dereference in the following code path:

libfreerdp/core/security.c:security_fips_decrypt:
...
if (!winpr_Cipher_Update(rdp->fips_decrypt, data, length, data, &olen))
...

Impact

This issue may lead to NULL pointer dereference.

CVE

  • CVE-2020-13397

Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy.

  • 05/18/2020: Vendor contacted
  • 05/19/2020: Vendor acknowledges report
  • 05/19/2020: Bug fixed and patch released by the vendor

Resources

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-101 in any communication regarding this issue.