CVE-2022-24882 — Improper Authentication in Freerdp

CWE-287 — Improper Authentication CWE-233 — Improper Handling of Parameters6 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.7%

top 28.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Freerdp Debian Freerdp2 Fedoraproject Extra Packages FOR Enterprise Linux +1 more

Timeline

PublishedApr 26

Latest updateJun 6

Description

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). In versions prior to 2.7.0, NT LAN Manager (NTLM) authentication does not properly abort when someone provides and empty password value. This issue affects FreeRDP based RDP Server implementations. RDP clients are not affected. The vulnerability is patched in FreeRDP 2.7.0. There are currently no known workarounds.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDfreerdp/freerdp< 2.7.0

▶debiandebian/freerdp2< freerdp2 2.7.0+dfsg1-1 (bookworm)

▶NVDfedoraproject/extra_packages8.0

Also affects: Fedora 34, 35, 36

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

freerdp2 vulnerabilities↗2022-06-06

▶

OSV

CVE-2022-24882: FreeRDP is a free implementation of the Remote Desktop Protocol (RDP)↗2022-04-26

▶

📋Vendor Advisories

Ubuntu

FreeRDP vulnerabilities↗2022-06-06

▶

Red Hat

freerdp: Server side NTLM does not properly check parameters↗2022-04-22

▶

Debian

CVE-2022-24882: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). In versio...↗2022

▶