A vulnerability has been found in FreeRDP up to 3.5.0 and classified as critical. Affected by this vulnerability is some unknown functionality. The manipulation with an unknown input leads to a allocation of resources vulnerability. The CWE definition for the vulnerability is CWE-770. The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor. As an impact it is known to affect availability. The summary by CVE is:

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.5.1, a malicious server can crash the FreeRDP client by sending invalid huge allocation size. Version 3.5.1 contains a patch for the issue. No known workarounds are available.

It is possible to read the advisory at github.com. This vulnerability is known as CVE-2024-32660 since 04/16/2024. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn't need any form of authentication. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1499 according to MITRE ATT&CK.

Upgrading to version 3.5.1 eliminates this vulnerability. Applying the patch 5e5d27cf310e4c10b854be7667bfb7a5d774eb47 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

See VDB-261755, VDB-261757, VDB-261758 and VDB-261760 for similar entries.

Productinfo

Name

• FreeRDP

Version

• 3.0
• 3.1
• 3.2
• 3.3
• 3.4
• 3.5

License

• open-source

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion