Executive Summary

This vulnerability exists in FreeRDP versions prior to 3.23.0 in the function xf_rail_server_execute_result. The function indexes a global array called error_code_names, which has 7 elements (indices 0 to 6), using a value received from the server called execResult->execResult without checking if the value is within bounds.

If the server sends an execResult value of 7 or greater, the function performs an out-of-bounds read on the error_code_names array. This can lead to undefined behavior such as a global buffer overflow.

The vulnerability is caused by missing validation of the execResult value before using it as an array index. The issue was fixed in version 3.23.0 by adding bounds checking and returning a default error string when the value is out of range.

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'A malicious Remote Desktop Protocol (RDP) server can exploit this vulnerability by sending a crafted execResult value of 7 or higher to the client.'}, {'type': 'paragraph', 'content': 'This causes the FreeRDP client to perform an out-of-bounds read on a global array, leading to a global buffer overflow.'}, {'type': 'paragraph', 'content': "The immediate impact is a client-side crash resulting in denial of service (DoS), disrupting the user's remote desktop session."}] [3]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring FreeRDP client logs for error messages related to RAIL execution results that include out-of-bounds execResult values. After the patch, logs include detailed error strings such as "RAIL_EXEC_E_UNKNOWN" along with the numeric error code in hexadecimal and the raw NT error code, which can help identify suspicious or unexpected execResult values.'}, {'type': 'paragraph', 'content': 'Specifically, enabling debug or trace logging on the FreeRDP client, especially for the X11 RAIL channel, will provide detailed information about execResult codes received from the server.'}, {'type': 'paragraph', 'content': 'While no explicit network commands are provided in the resources, you can use network traffic analysis tools (e.g., Wireshark) to capture and inspect RDP TS_RAIL_ORDER_EXEC_RESULT PDUs for execResult values of 7 or greater, which indicate potential exploitation attempts.'}, {'type': 'paragraph', 'content': 'On the system running FreeRDP, check logs for entries similar to: "RAIL exec error: execResult=RAIL_EXEC_E_UNKNOWN NtError=0x..." which indicate out-of-bounds execResult values.'}] [1, 3]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade FreeRDP to version 3.23.0 or later, where the vulnerability is fixed by adding bounds checking on the execResult value before indexing the error_code_names array.

If upgrading immediately is not possible, consider restricting or monitoring connections to untrusted RDP servers, as a malicious server can exploit this vulnerability to cause client crashes and denial of service.

Enable detailed logging on the FreeRDP client to detect abnormal execResult values and abort connections when such values are encountered, as done in the patched code.

Useful 0 Not Useful 0