Bug 1171441 (CVE-2020-11038)

Summary: VUL-0: CVE-2020-11039,CVE-2020-11038,CVE-2020-11043,CVE-2020-11040,CVE-2020-11041,CVE-2020-11019,CVE-2020-11017,CVE-2020-11018: freerdp: 2.1.0 fixes several CVEs, leaks and crashes
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Weberhofer <jweberhofer>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: Andreas.Stieger, atoptsoglou, bruno, gnome-bugs, meissner, qkzhu, rfrohl, security-team, wolfgang.frisch, yfjiang
Version: unspecified   
Target Milestone: unspecified   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Weberhofer 2020-05-11 09:30:15 UTC 
Should be updated for Leap 15.1 and Leap 15.2.

From changlog:
  * Fixed CVEs:
  - CVE-2020-11039
  - CVE-2020-11038
  - CVE-2020-11043
  - CVE-2020-11040
  - CVE-2020-11041
  - CVE-2020-11019
  - CVE-2020-11017
  - CVE-2020-11018
  * Fixed leak and crashing issues:
  - gh#FreeRDP/FreeRDP#6129
  - gh#FreeRDP/FreeRDP#6128
  - gh#FreeRDP/FreeRDP#6127
  - gh#FreeRDP/FreeRDP#6110
  - gh#FreeRDP/FreeRDP#6081
  - gh#FreeRDP/FreeRDP#6077
Comment 1 Johannes Weberhofer 2020-05-11 09:50:22 UTC 
I don't Think bruno is the right person to handle the request. I have added yfjiang@suse.com
Comment 2 Andreas Stieger 2020-05-11 09:53:41 UTC 
Then this should be adjusted in X11:RemoteDesktop/freerdp
Bruno has already requested to be removed, he can actually do that himself.
Comment 3 Johannes Weberhofer 2020-05-11 09:58:47 UTC 
(In reply to Andreas Stieger from comment #2)
> Then this should be adjusted in X11:RemoteDesktop/freerdp
> Bruno has already requested to be removed, he can actually do that himself.

I don't see him listed there. As the package is managed by SLE maybe yfjiang@suse.com should been added as bugowner (the same is valid for remmina).
Comment 4 Johannes Weberhofer 2020-05-11 10:02:32 UTC 
(In reply to Andreas Stieger from comment #2)
> Then this should be adjusted in X11:RemoteDesktop/freerdp
> Bruno has already requested to be removed, he can actually do that himself.

Sorry, have now removed Bruno and added myself for the moment. But wouldn't it mage sense to add someone from SUSE?
Comment 5 Bruno Friedmann 2020-05-11 10:54:57 UTC 
@Johannes thanks for fixing the assigned.

Would you make me a favor, as I forgot how to send an sr for this specific task with osc. Could you remove me a bugowner (even as user would be fine) from 
https://build.opensuse.org/package/users/X11:RemoteDesktop/freerdp

and make one or several of you bugowner. So next time a bug is opened against freerdp the right person will be adressed.

Thanks.
Comment 6 Johannes Weberhofer 2020-05-11 11:04:04 UTC 
(In reply to Bruno Friedmann from comment #5)
> @Johannes thanks for fixing the assigned.
> 
> Would you make me a favor, as I forgot how to send an sr for this specific
> task with osc. Could you remove me a bugowner (even as user would be fine)
> from 
> https://build.opensuse.org/package/users/X11:RemoteDesktop/freerdp
> 
> and make one or several of you bugowner. So next time a bug is opened
> against freerdp the right person will be adressed.
> 
> Thanks.

I have removed you and added myself. But I think one of the SUSE people should be added, too.
Comment 12 Johannes Weberhofer 2020-05-20 12:39:30 UTC 
For your information: I'm currently preparing to fixes for freerdp issues in the latest version.
Comment 13 Johannes Weberhofer 2020-05-26 07:09:11 UTC 
In freerdp release 2.1.1 three more CVEs have been solved:

* CVE-2020-13396: GHSL-2020-100 OOB Read in ntlm_read_ChallengeMessage
* CVE-2020-13397: GHSL-2020-101 OOB Read in security_fips_decrypt due to uninitialized value
* CVE-2020-13398: GHSL-2020-102 OOB Write in crypto_rsa_common
Comment 14 QK ZHU 2020-05-27 03:47:22 UTC 
I did a preliminary test on SLE12SP4, there is a vinagre dependency issue when updating freerdp v2.1.0

> Problem: vinagre-3.20.2-14.16.x86_64 requires libfreerdp.so.2()(64bit), but this requirement cannot be provided

We can resolve this issue by updating SLE12's vinagre-freerdp2.patch to
- https://build.opensuse.org/package/view_file/GNOME:Factory/vinagre/vinagre-freerdp2.patch
Then rebuild vinagre against freerdp v2.1.0.
Comment 15 Johannes Weberhofer 2020-05-27 07:25:56 UTC 
As there where three more CVEs closed with freerdp 2.1.1, the update should be to this version!
Comment 16 QK ZHU 2020-05-27 07:33:18 UTC 
(In reply to Johannes Weberhofer from comment #15)
> As there where three more CVEs closed with freerdp 2.1.1, the update should
> be to this version!

Thanks Johannes, yes, I have done test based on v2.1.1:
- https://build.opensuse.org/project/show/home:qkzhu:branches:openSUSE:Leap:42.3:Update

I will submit the new version to SLE and Leap once the jira ECO request is approved.
Comment 20 Robert Frohl 2020-06-05 13:24:39 UTC 
to facilitate a more complete picture I tried to document the open CVEs, see below. There might be some missing, because they came in over a few weeks. Feel free to use this for the changes file.

update to 2.0 fixing:
CVE-2020-11042: out-of-bounds read in update_read_icon_info
CVE-2020-11044: denial of service in update_read_cache_bitmap_v3_order affecting clients
CVE-2020-11045: out-of-bound read in in update_read_bitmap_data
CVE-2020-11046: out-of-bounds seek in update_read_synchronize
CVE-2020-11047: out-of-bounds read in autodetect_recv_bandwidth_measure_results
CVE-2020-11048: out-of-bounds read in rdp_read_flow_control_pdu
CVE-2020-11049: out-of-bound read of client memory that is then passed on to the protocol parser

update to 2.1 fixing:
CVE-2020-11017: malicious client can create a double free condition and crash the server
CVE-2020-11018: malicious clients could trigger out of bound reads causing memory allocation with random size
CVE-2020-11019: denial of service if logger set to "WLOG_TRACE"
CVE-2020-11038: buffer overflow when using /video redirection
CVE-2020-11039: arbitrary memory read and write when USB redirection enabled
CVE-2020-11040: out-of-bound data read in clear_decompress_subcode_rlex
CVE-2020-11041: denial of service by malicious server related to configuration for sound backend
CVE-2020-11043: out-of-bounds read in rfx_process_message_tileset
CVE-2020-11085: out-of-bounds read in cliprdr_read_format_list
CVE-2020-11086: out-of-bound read in ntlm_read_ntlm_v2_client_challenge
CVE-2020-11087: out-of-bound read in ntlm_read_AuthenticateMessage
CVE-2020-11088: out-of-bound read in ntlm_read_NegotiateMessage
CVE-2020-11089: out-of-bound read in irp function family


update to 2.1.1 (already mentioned):
CVE-2020-13396: out-of-bounds read  in ntlm_read_ChallengeMessage
CVE-2020-13397: out-of-bounds read in security_fips_decrypt
CVE-2020-13398: out-of-bounds write in crypto_rsa_common

all of these affect both SUSE:SLE-12-SP2:Update and SUSE:SLE-15-SP1:Update, meaning even in freerdp 2.0 RC4 the fixes for 2.0 are missing.
Comment 21 Robert Frohl 2020-06-05 13:27:21 UTC 
(In reply to Robert Frohl from comment #20)
> There might be some missing, because they came in over a few weeks.

What I mean with this is that there might be new CVE that will get assigned in the future.
Comment 22 Robert Frohl 2020-06-05 14:27:35 UTC 
Just realized I missed one for the 2.0 update.

(In reply to Robert Frohl from comment #20)
> update to 2.0 fixing:
> CVE-2020-11042: out-of-bounds read in update_read_icon_info
> CVE-2020-11044: denial of service in update_read_cache_bitmap_v3_order
> affecting clients
> CVE-2020-11045: out-of-bound read in in update_read_bitmap_data
> CVE-2020-11046: out-of-bounds seek in update_read_synchronize
> CVE-2020-11047: out-of-bounds read in
> autodetect_recv_bandwidth_measure_results
> CVE-2020-11048: out-of-bounds read in rdp_read_flow_control_pdu
> CVE-2020-11049: out-of-bound read of client memory that is then passed on to
> the protocol parser

CVE-2020-11058: out-of-bounds reed in rdp_read_font_capability_set
Comment 23 Robert Frohl 2020-06-23 08:20:02 UTC 
There is a even newer version with 9 additional vulnerabilities fixed, see bsc#1173247.

Please include that version in the update once the ECO was approved.
Comment 27 QK ZHU 2020-07-02 03:33:22 UTC 
Requests accpeted.
Comment 28 QK ZHU 2020-07-02 03:41:43 UTC 
Reopened and assign to the security team, Thanks.
Comment 29 Johannes Weberhofer 2020-07-03 12:45:08 UTC 
Bug #1173605 had been reported regardin connection problems between freerdp-2.1.2 and Windows. I could reproduce it here with a Windows 7 system. 

I fixed it with https://build.opensuse.org/request/show/818280 but did not receive an acknowledge from the reporter.

Could be worth to include that patch...
Comment 30 Johannes Weberhofer 2020-07-14 06:55:28 UTC 
#1173605 to fixes an issue for many users, so please include it here, too.
Comment 31 QK ZHU 2020-07-14 06:58:25 UTC 
(In reply to Johannes Weberhofer from comment #30)
> #1173605 to fixes an issue for many users, so please include it here, too.

Thanks Johannes, I will work on this.
Comment 34 Johannes Weberhofer 2020-07-20 14:36:12 UTC 
Have added a related ticket #1174321; currently I'm testing the new freerdp release 2.2.0
Comment 37 Swamp Workflow Management 2020-07-23 19:13:47 UTC 
SUSE-SU-2020:2032-1: An update that fixes 31 vulnerabilities is now available.

Category: security (important)
Bug References: 1169679,1169748,1171441,1171443,1171444,1171445,1171446,1171447,1171474,1173247,1173605,1174200
CVE References: CVE-2020-11017,CVE-2020-11018,CVE-2020-11019,CVE-2020-11038,CVE-2020-11039,CVE-2020-11040,CVE-2020-11041,CVE-2020-11043,CVE-2020-11085,CVE-2020-11086,CVE-2020-11087,CVE-2020-11088,CVE-2020-11089,CVE-2020-11095,CVE-2020-11096,CVE-2020-11097,CVE-2020-11098,CVE-2020-11099,CVE-2020-11521,CVE-2020-11522,CVE-2020-11523,CVE-2020-11524,CVE-2020-11525,CVE-2020-11526,CVE-2020-13396,CVE-2020-13397,CVE-2020-13398,CVE-2020-4030,CVE-2020-4031,CVE-2020-4032,CVE-2020-4033
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    freerdp-2.1.2-10.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 38 Swamp Workflow Management 2020-07-26 22:12:49 UTC 
openSUSE-SU-2020:1090-1: An update that fixes 31 vulnerabilities is now available.

Category: security (important)
Bug References: 1169679,1169748,1171441,1171443,1171444,1171445,1171446,1171447,1171474,1173247,1173605,1174200
CVE References: CVE-2020-11017,CVE-2020-11018,CVE-2020-11019,CVE-2020-11038,CVE-2020-11039,CVE-2020-11040,CVE-2020-11041,CVE-2020-11043,CVE-2020-11085,CVE-2020-11086,CVE-2020-11087,CVE-2020-11088,CVE-2020-11089,CVE-2020-11095,CVE-2020-11096,CVE-2020-11097,CVE-2020-11098,CVE-2020-11099,CVE-2020-11521,CVE-2020-11522,CVE-2020-11523,CVE-2020-11524,CVE-2020-11525,CVE-2020-11526,CVE-2020-13396,CVE-2020-13397,CVE-2020-13398,CVE-2020-4030,CVE-2020-4031,CVE-2020-4032,CVE-2020-4033
Sources used:
openSUSE Leap 15.1 (src):    freerdp-2.1.2-lp151.5.6.1
Comment 39 Swamp Workflow Management 2020-07-29 13:13:37 UTC 
SUSE-SU-2020:2068-1: An update that fixes 31 vulnerabilities is now available.

Category: security (important)
Bug References: 1169679,1169748,1171441,1171443,1171444,1171445,1171446,1171447,1171474,1173247,1173605,1174200
CVE References: CVE-2020-11017,CVE-2020-11018,CVE-2020-11019,CVE-2020-11038,CVE-2020-11039,CVE-2020-11040,CVE-2020-11041,CVE-2020-11043,CVE-2020-11085,CVE-2020-11086,CVE-2020-11087,CVE-2020-11088,CVE-2020-11089,CVE-2020-11095,CVE-2020-11096,CVE-2020-11097,CVE-2020-11098,CVE-2020-11099,CVE-2020-11521,CVE-2020-11522,CVE-2020-11523,CVE-2020-11524,CVE-2020-11525,CVE-2020-11526,CVE-2020-13396,CVE-2020-13397,CVE-2020-13398,CVE-2020-4030,CVE-2020-4031,CVE-2020-4032,CVE-2020-4033
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    freerdp-2.1.2-15.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 41 Swamp Workflow Management 2020-08-18 19:17:11 UTC 
SUSE-SU-2020:2272-1: An update that fixes 46 vulnerabilities is now available.

Category: security (important)
Bug References: 1004108,1050699,1050704,1050708,1050711,1050712,1050714,1085416,1087240,1090677,1103557,1104918,1112028,1116708,1117963,1117964,1117965,1117966,1117967,1120507,1129193,1169679,1169748,1171441,1171443,1171444,1171445,1171446,1171447,1171674,1173247,1173605,1174200,1174321
CVE References: CVE-2017-2834,CVE-2017-2835,CVE-2017-2836,CVE-2017-2837,CVE-2017-2838,CVE-2017-2839,CVE-2018-0886,CVE-2018-1000852,CVE-2018-8784,CVE-2018-8785,CVE-2018-8786,CVE-2018-8787,CVE-2018-8788,CVE-2018-8789,CVE-2020-11017,CVE-2020-11018,CVE-2020-11019,CVE-2020-11038,CVE-2020-11039,CVE-2020-11040,CVE-2020-11041,CVE-2020-11043,CVE-2020-11085,CVE-2020-11086,CVE-2020-11087,CVE-2020-11088,CVE-2020-11089,CVE-2020-11095,CVE-2020-11096,CVE-2020-11097,CVE-2020-11098,CVE-2020-11099,CVE-2020-11521,CVE-2020-11522,CVE-2020-11523,CVE-2020-11524,CVE-2020-11525,CVE-2020-11526,CVE-2020-13396,CVE-2020-13397,CVE-2020-13398,CVE-2020-15103,CVE-2020-4030,CVE-2020-4031,CVE-2020-4032,CVE-2020-4033
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    freerdp-2.1.2-12.20.1, vinagre-3.20.2-16.3.3
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    freerdp-2.1.2-12.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 42 Alexandros Toptsoglou 2020-08-27 13:46:05 UTC 
Done