CVE-2024-32459

FreeRDP Out-Of-Bounds Read in ncrush_decompress

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients and servers that use a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch the issue. No known workarounds are available.

FreeRDP es una implementación gratuita del orotocolo de escritorio remoto. Los clientes y servidores basados en FreeRDP que utilizan una versión de FreeRDP anterior a 3.5.0 o 2.11.6 son vulnerables a lecturas fuera de los límites. Las versiones 3.5.0 y 2.11.6 solucionan el problema. No hay workarounds disponibles.

*Credits: N/A

CVSS Scores

GitHubv3.1 9.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-04-12 CVE Reserved
2024-04-22 CVE Published
2024-05-22 First Exploit
2024-06-11 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-125: Out-of-bounds Read

CAPEC

References (11)

URL	Tag	Source
https://github.com/FreeRDP/FreeRDP/pull/10077	X_refsource_misc
https://github.com/FreeRDP/FreeRDP/releases/tag/2.11.6	X_refsource_misc
https://github.com/FreeRDP/FreeRDP/releases/tag/3.5.0	X_refsource_misc
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cp4q-p737-rmw9	X_refsource_confirm
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JL476WVJSIE7SBUKVJRVA6A52V2HOLZ
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7SIS6NUNLUBOV4CPCSWKDE6T6C2W3WTR
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PX3U6YPZQ7PEJBVKSBUOLWVH7DHROHY5
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKI4UISUXYNBPN4K6TIQKDRTIJ6CDCKJ

URL	Date	SRC
https://github.com/absholi7ly/FreeRDP-Out-of-Bounds-Read-CVE-2024-32459-	2024-05-22

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-32459	2024-11-12
https://bugzilla.redhat.com/show_bug.cgi?id=2276721	2024-11-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
FreeRDP Search vendor "FreeRDP"		FreeRDP Search vendor "FreeRDP" for product "FreeRDP"				>= < 3.0.0 Search vendor "FreeRDP" for product "FreeRDP" and version " >= < 3.0.0"		en		Affected
FreeRDP Search vendor "FreeRDP"		FreeRDP Search vendor "FreeRDP" for product "FreeRDP"				< 2.11.6 Search vendor "FreeRDP" for product "FreeRDP" and version " < 2.11.6"		en		Affected