A NULL dereference vulnerability has been detected in FreeRDP's
security_fips_decrypt routine due to use of uninitialized pointer values. This issue has been addressed in FreeRDP 2.1.1.
Development version - master branch (May 18, 2020)
It is possible for a malicious FreeRDP server to confuse FreeRDP client state and make it enter Federal Information Processing Standard (FIPS) specific program logic at a point where the client session context has not been properly initialized for FIPS use.
More specifically, if a FreeRDP server claims
ENCRYPTION_METHOD_FIPS (0x00000010) for a FreeRDP client session that expects to be operating under a Network Layer Authentication (NLA) Security session context, the client may be tricked into following FIPS specific code paths based on session state checks such as:
libfreerdp/core/rdp.c: ... if (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS) ...
Which are directly controlled by remote input from the FreeRDP server into the
serverEncryptionmethod variable, e.g.:
libfreerdp/core/gcc.c: ... ( Stream_Read_UINT32(s, serverEncryptionMethod)) ...
As a result the
security_fips_decrypt function may be called at a point where the
rdp structure contains an uninitialized
rdp->fips_decrypt pointer value. Since the
rdp structure itself is allocated through
calloc it is initialized with zeroed memory, thus resulting in a NULL pointer dereference in the following code path:
libfreerdp/core/security.c:security_fips_decrypt: ... if (!winpr_Cipher_Update(rdp->fips_decrypt, data, length, data, &olen)) ...
This issue may lead to NULL pointer dereference.
This report was subject to the GHSL coordinated disclosure policy.
This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).
You can contact the GHSL team at
email@example.com, please include the
GHSL-2020-101 in any communication regarding this issue.