June 17, 2020

GHSL-2020-101: NULL dereference in FreeRDP FIPS routines - CVE-2020-13397

Antonio Morales


A NULL dereference vulnerability has been detected in FreeRDP's security_fips_decrypt routine due to use of uninitialized pointer values. This issue has been addressed in FreeRDP 2.1.1.



Tested Version

Development version - master branch (May 18, 2020)

Details: NULL dereference in security_fips_decrypt

It is possible for a malicious FreeRDP server to confuse FreeRDP client state and make it enter Federal Information Processing Standard (FIPS) specific program logic at a point where the client session context has not been properly initialized for FIPS use.

More specifically, if a FreeRDP server claims ENCRYPTION_METHOD_FIPS (0x00000010) for a FreeRDP client session that expects to be operating under a Network Layer Authentication (NLA) Security session context, the client may be tricked into following FIPS specific code paths based on session state checks such as:

 if (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS)

Which are directly controlled by remote input from the FreeRDP server into the serverEncryptionmethod variable, e.g.:

( Stream_Read_UINT32(s, serverEncryptionMethod))

As a result the security_fips_decrypt function may be called at a point where the rdp structure contains an uninitialized rdp->fips_decrypt pointer value. Since the rdp structure itself is allocated through calloc it is initialized with zeroed memory, thus resulting in a NULL pointer dereference in the following code path:

if (!winpr_Cipher_Update(rdp->fips_decrypt, data, length, data, &olen))


This issue may lead to NULL pointer dereference.


  • CVE-2020-13397

Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy.

  • 05/18/2020: Vendor contacted
  • 05/19/2020: Vendor acknowledges report
  • 05/19/2020: Bug fixed and patch released by the vendor



This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).


You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-101 in any communication regarding this issue.