skip to content
Back to GitHub.com
Home Bounties CodeQL Research Advisories Get Involved Events
June 17, 2020

GHSL-2020-101: NULL dereference in FreeRDP FIPS routines - CVE-2020-13397

Antonio Morales

Summary

A NULL dereference vulnerability has been detected in FreeRDP’s security_fips_decrypt routine due to use of uninitialized pointer values. This issue has been addressed in FreeRDP 2.1.1.

Product

FreeRDP

Tested Version

Development version - master branch (May 18, 2020)

Details: NULL dereference in security_fips_decrypt

It is possible for a malicious FreeRDP server to confuse FreeRDP client state and make it enter Federal Information Processing Standard (FIPS) specific program logic at a point where the client session context has not been properly initialized for FIPS use.

More specifically, if a FreeRDP server claims ENCRYPTION_METHOD_FIPS (0x00000010) for a FreeRDP client session that expects to be operating under a Network Layer Authentication (NLA) Security session context, the client may be tricked into following FIPS specific code paths based on session state checks such as:

libfreerdp/core/rdp.c:
...
 if (rdp->settings->EncryptionMethods == ENCRYPTION_METHOD_FIPS)
...

Which are directly controlled by remote input from the FreeRDP server into the serverEncryptionmethod variable, e.g.:

libfreerdp/core/gcc.c:
...
( Stream_Read_UINT32(s, serverEncryptionMethod))
...

As a result the security_fips_decrypt function may be called at a point where the rdp structure contains an uninitialized rdp->fips_decrypt pointer value. Since the rdp structure itself is allocated through calloc it is initialized with zeroed memory, thus resulting in a NULL pointer dereference in the following code path:

libfreerdp/core/security.c:security_fips_decrypt:
...
if (!winpr_Cipher_Update(rdp->fips_decrypt, data, length, data, &olen))
...

Impact

This issue may lead to NULL pointer dereference.

CVE

Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy.

Resources

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-101 in any communication regarding this issue.