FreeRDP Server authentication might allow invalid credentials to pass
CVE-2022-24883

7.4HIGH

Key Information:

Vendor: Freerdp
Status: Freerdp
Vendor: CVE Published:; 26 April 2022

What is CVE-2022-24883?

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to version 2.7.0, server side authentication against a SAM file might be successful for invalid credentials if the server has configured an invalid SAM file path. FreeRDP based clients are not affected. RDP server implementations using FreeRDP to authenticate against a SAM file are affected. Version 2.7.0 contains a fix for this issue. As a workaround, use custom authentication via HashCallback and/or ensure the SAM database path configured is valid and the application has file handles left.

Affected Version(s)

FreeRDP < 2.7.0

References

https://github.com/FreeRDP/FreeRDP/security/advisories/GH...

https://github.com/FreeRDP/FreeRDP/commit/4661492e5a61719...

https://github.com/FreeRDP/FreeRDP/commit/6f473b273a4b6f0...

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 26, 2022
Vulnerability Reserved
Feb 10, 2022

Freerdp

What is CVE-2022-24883?

Affected Version(s)

References

CVSS V3.1

Timeline