July 1, 2020

GHSL-2020-107: OOB read vulnerability in FreeRDP update_read_cache_bitmap_v3_order - CVE-2020-11096

Antonio Morales

Summary

A global out-of-bounds (OOB) read vulnerability has been detected in update_read_cache_bitmap_v3_order due to global array access with attacker-controlled index.

Product

FreeRDP

Tested Version

Development version - master branch (May 26, 2020)

Details: Global OOB read in update_read_cache_bitmap_v3_order

The update_read_cache_bitmap_v3_order function in orders.c performs a call to cache_bitmap_v3->bpp = CBR23_BPP[bitsPerPixelId] (line 2158), where bitsPerPixelId is a value that can be controlled directly by a potential attacker.

As we can see below, CBR23_BPP is an static array of size 7:

View on GitHub!

/* libfreerdp/core/orders.c */

static const BYTE CBR23_BPP[] = { 0, 0, 0, 8, 16, 24, 32 };

So, if bitsPerPixelId value is greater than 6, an OOB read occurs resulting in accessing a memory location that is outside of the boundaries of the static array CBR23_BPP.

Impact

This issue may lead to Out-of-Bounds read.

CVE

  • CVE-2020-11096

Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy.

  • 05/26/2020: Report sent to Vendor
  • 05/26/2020: Vendor acknowledges report
  • 06/22/2020: Bug fixed and patch released by the vendor

Supporting Resources

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-107 in any communication regarding this issue.