GHSL-2020-107: OOB read vulnerability in FreeRDP update_read_cache_bitmap_v3_order - CVE-2020-11096

Summary

A global out-of-bounds (OOB) read vulnerability has been detected in update_read_cache_bitmap_v3_order due to global array access with attacker-controlled index.

Product

FreeRDP

Tested Version

Development version - master branch (May 26, 2020)

Details: Global OOB read in update_read_cache_bitmap_v3_order

The update_read_cache_bitmap_v3_order function in orders.c performs a call to cache_bitmap_v3->bpp = CBR23_BPP[bitsPerPixelId] (line 2158), where bitsPerPixelId is a value that can be controlled directly by a potential attacker.

As we can see below, CBR23_BPP is an static array of size 7:

View on GitHub!

/* libfreerdp/core/orders.c */

static const BYTE CBR23_BPP[] = { 0, 0, 0, 8, 16, 24, 32 };

So, if bitsPerPixelId value is greater than 6, an OOB read occurs resulting in accessing a memory location that is outside of the boundaries of the static array CBR23_BPP.

Impact

This issue may lead to Out-of-Bounds read.

CVE

• CVE-2020-11096

Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy.

• 05/26/2020: Report sent to Vendor
• 05/26/2020: Vendor acknowledges report
• 06/22/2020: Bug fixed and patch released by the vendor

Supporting Resources

• https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mjw7-3mq2-996x
• https://github.com/FreeRDP/FreeRDP/commit/b8beb55913471952f92770c90c372139d78c16c0

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-107 in any communication regarding this issue.