#VU29360 Use-after-free in FreeRDP - CVE-2020-4031

Cybersecurity Help s.r.o.

Published: 2020-06-29

Vulnerability identifier: #VU29360

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-4031

CWE-ID: CWE-416

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
FreeRDP
Universal components / Libraries / Libraries used by multiple products

Vendor: FreeRDP

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in "gdi_SelectObject" when using compatibility mode with /relax-order-checks. A remote attacker can execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

FreeRDP: 1.0 beta1 - 2.1.1

External links
https://www.freerdp.com/2020/06/22/2_1_2-released
https://github.com/FreeRDP/FreeRDP/commit/6d86e20e1e7caaab4f0c7f89e36d32914dbccc52
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-gwcq-hpq2-m74g

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

OpenSUSE Linux update for freerdp

Arch Linux update for freerdp

Multiple vulnerabilities in FreeRDP

Use-after-free in freerdp (Alpine package)