CVE-2024-32662
Publication date 23 April 2024
Last updated 6 February 2025
Ubuntu priority
FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients prior to version 3.5.1 are vulnerable to out-of-bounds read. This occurs when `WCHAR` string is read with twice the size it has and converted to `UTF-8`, `base64` decoded. The string is only used to compare against the redirection server certificate. Version 3.5.1 contains a patch for the issue. No known workarounds are available.
Read the notes from the security team
Why is this CVE low priority?
FreeRDP developers have rated this as being a low severity issue
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| freerdp | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| freerdp2 | 24.04 LTS noble |
Not affected
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| freerdp3 | 24.04 LTS noble |
Fixed 3.5.1+dfsg1-0ubuntu1
|
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release |
Notes
mdeslaur
introduced in https://github.com/FreeRDP/FreeRDP/commit/ae8f0106bd9d79dc0369c19b632c5112338ecad4
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.8 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-6759-1
- FreeRDP vulnerabilities
- 29 April 2024