CVE-2022-39347

16.11.2022, 20:15

FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing path canonicalization and base path check for `drive` channel. A malicious server can trick a FreeRDP based client to read files outside the shared directory. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the `/drive`, `/drives` or `+home-drive` redirection switch.

Path Traversal

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	2.6 LOW	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
GitHub_M	CNA	2.6 LOW	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 31%

Vendor	Product	Version
freerdp	freerdp	𝑥 < 2.9.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

freerdp2

bullseye	no-dsa
bookworm	2.10.0+dfsg1-1 fixed
sid	2.11.7+dfsg1-4 fixed
trixie	2.11.7+dfsg1-4 fixed

Ubuntu Releases

Ubuntu Product

Codename

freerdp

kinetic	dne
jammy	dne
focal	dne
bionic	needed
xenial	needed
trusty	ignored

freerdp2

noble	Fixed 2.8.1+dfsg1-1ubuntu1 released
mantic	Fixed 2.8.1+dfsg1-1ubuntu1 released
lunar	Fixed 2.8.1+dfsg1-1ubuntu1 released
kinetic	Fixed 2.8.1+dfsg1-0ubuntu1.1 released
jammy	Fixed 2.6.1+dfsg1-3ubuntu2.3 released
focal	Fixed 2.2.0+dfsg1-0ubuntu0.20.04.4 released
bionic	Fixed 2.2.0+dfsg1-0ubuntu0.18.04.4 released
xenial	ignored
trusty	ignored

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References

https://github.com/FreeRDP/FreeRDP/commit/027424c2c6c0991cb9c22f9511478229c9b17e5d

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c5xq-8v35-pffg

https://lists.debian.org/debian-lts-announce/2023/11/msg00010.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UDOTAOJBCZKREZJPT6VZ25GESI5T6RBG/