cbcvebase.
CVE-2022-24883
published 2022-04-26

CVE-2022-24883: FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to version 2.7.0, server side authentication against a `SAM` file might be…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.19%
80.2th percentile
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to version 2.7.0, server side authentication against a `SAM` file might be successful for invalid credentials if the server has configured an invalid `SAM` file path. FreeRDP based clients are not affected. RDP server implementations using FreeRDP to authenticate against a `SAM` file are affected. Version 2.7.0 contains a fix for this issue. As a workaround, use custom authentication via `HashCallback` and/or ensure the `SAM` database path configured is valid and the application has file handles left.

Affected

5 ranges
VendorProductVersion rangeFixed in
debianfreerdp2< freerdp2 2.7.0+dfsg1-1 (bookworm)freerdp2 2.7.0+dfsg1-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
freerdpfreerdp< 2.7.02.7.0

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability allows a remote attacker to bypass server authentication when the server has an invalid SAM file path configured — monitor for successful RDP authentications with invalid/unexpected credentials against FreeRDP-based servers.
  • Detection should focus on FreeRDP server instances running versions prior to 2.7.0 (upstream) or prior to 2.3.0+dfsg1-2+deb11u2 (Debian bullseye) / 2.7.0+dfsg1-1 (Debian bookworm).
  • ·The vulnerability is only triggerable when the FreeRDP server is configured with an invalid SAM file path — a valid, accessible SAM database path mitigates the issue.
  • ·As a workaround (if patching is not immediately possible), use custom authentication via HashCallback and/or ensure the SAM database path is valid and the application has file handles available.
  • ·RHEL 6/7/8/9 are not affected because server support is completely disabled in RHEL builds of FreeRDP.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_ubuntu9.1CRITICAL
vendor_debian7.4HIGH
vendor_redhat7.4HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.