Vulnerability CVE-2022-24883: Information

Description

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to version 2.7.0, server side authentication against a `SAM` file might be successful for invalid credentials if the server has configured an invalid `SAM` file path. FreeRDP based clients are not affected. RDP server implementations using FreeRDP to authenticate against a `SAM` file are affected. Version 2.7.0 contains a fix for this issue. As a workaround, use custom authentication via `HashCallback` and/or ensure the `SAM` database path configured is valid and the application has file handles left.

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2022-24883
Published: April 26, 2022
Modified: Nov. 17, 2023
Error type identifier: CWE-287

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
freerdpsisyphus2.7.0-alt12.11.7-alt2ALT-PU-2022-1764-1299007Fixed
freerdpsisyphus_e2k2.8.1-alt1.12.11.7-alt2ALT-PU-2022-6969-1-Fixed
freerdpsisyphus_riscv642.7.0-alt12.11.7-alt2ALT-PU-2022-4797-1-Fixed
freerdpp102.7.0-alt12.11.7-alt2ALT-PU-2022-1774-1299075Fixed
freerdpp10_e2k2.8.1-alt1.12.11.7-alt2ALT-PU-2022-6929-1-Fixed
freerdpp92.9.0-alt12.9.0-alt1ALT-PU-2022-3288-1310221Fixed
freerdpc10f12.7.0-alt12.11.6-alt1ALT-PU-2022-1774-1299075Fixed
freerdpc9f22.8.1-alt12.11.6-alt1ALT-PU-2022-2881-1308589Fixed
freerdpp112.7.0-alt12.11.7-alt2ALT-PU-2022-1764-1299007Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/FreeRDP/FreeRDP/releases/tag/2.7.0
  • Release Notes
  • Third Party Advisory
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qxm3-v2r6-vmwf
  • Patch
  • Third Party Advisory
https://github.com/FreeRDP/FreeRDP/commit/4661492e5a617199457c8074bad22f766a116cdc
  • Patch
  • Third Party Advisory
https://github.com/FreeRDP/FreeRDP/commit/6f473b273a4b6f0cb6aca32b95e22fd0de88e144
  • Patch
  • Third Party Advisory
GLSA-202210-24
  • Third Party Advisory
FEDORA-2022-dc48a89918
    FEDORA-2022-a3e03a200b
      FEDORA-2022-b0a47f8060
        [debian-lts-announce] 20231117 [SECURITY] [DLA 3654-1] freerdp2 security update

            1. Configuration 1

              cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*
              End excliding
              2.7.0

              Configuration 2

              cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
              cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
              cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
          VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
          Version: v24.5.3
          Back to top