Bugzilla – Bug 1198919
VUL-0: CVE-2022-24882: freerdp: NTLM does not properly check parameters
Last modified: 2022-12-20 11:26:07 UTC
CVE-2022-24882 FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). In versions prior to 2.7.0, NT LAN Manager (NTLM) authentication does not properly abort when someone provides and empty password value. This issue affects FreeRDP based RDP Server implementations. RDP clients are not affected. The vulnerability is patched in FreeRDP 2.7.0. There are currently no known workarounds. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24882 https://github.com/FreeRDP/FreeRDP/releases/tag/2.7.0 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24882 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6x5p-gp49-3jhh https://github.com/FreeRDP/FreeRDP/pull/7750 https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/issues/95
Affected: - SUSE:SLE-12-SP2:Update/freerdp 2.1.2 - SUSE:SLE-15-SP2:Update/freerdp 2.1.2 - SUSE:SLE-15-SP4:Update/freerdp 2.4.0 - openSUSE:Backports:SLE-15-SP3/freerdp 2.1.2 - openSUSE:Factory/freerdp 2.6.1
Hi, is there any progress on this? If you need help with anything, please let me know.
SUSE-SU-2022:2352-1: An update that fixes two vulnerabilities is now available. Category: security (critical) Bug References: 1198919,1198921 CVE References: CVE-2022-24882,CVE-2022-24883 JIRA References: Sources used: SUSE Linux Enterprise Workstation Extension 12-SP5 (src): freerdp-2.1.2-12.23.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): freerdp-2.1.2-12.23.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2354-1: An update that fixes two vulnerabilities is now available. Category: security (critical) Bug References: 1198919,1198921 CVE References: CVE-2022-24882,CVE-2022-24883 JIRA References: Sources used: openSUSE Leap 15.4 (src): freerdp-2.4.0-150400.3.3.1 SUSE Linux Enterprise Workstation Extension 15-SP4 (src): freerdp-2.4.0-150400.3.3.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src): freerdp-2.4.0-150400.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2353-1: An update that fixes two vulnerabilities is now available. Category: security (critical) Bug References: 1198919,1198921 CVE References: CVE-2022-24882,CVE-2022-24883 JIRA References: Sources used: openSUSE Leap 15.3 (src): freerdp-2.1.2-150200.15.15.1 SUSE Linux Enterprise Workstation Extension 15-SP3 (src): freerdp-2.1.2-150200.15.15.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src): freerdp-2.1.2-150200.15.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Cleaning up GNOME CVE backlog. The fix has been submitted and accepted. Assign back to security team.
done