CVE-2022-24882: Server side NTLM does not properly check parameters in FreeRDP
First published: Tue Apr 26 2022(Updated: )
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). In versions prior to 2.7.0, NT LAN Manager (NTLM) authentication does not properly abort when someone provides and empty password value. This issue affects FreeRDP based RDP Server implementations. RDP clients are not affected. The vulnerability is patched in FreeRDP 2.7.0. There are currently no known workarounds.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| FreeRDP FreeRDP | <2.7.0 | |
| Fedoraproject Extra Packages For Enterprise Linux | =8.0 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/FreeRDP/FreeRDP/pull/7750
- https://github.com/FreeRDP/FreeRDP/releases/tag/2.7.0
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6x5p-gp49-3jhh
- https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/issues/95
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AELSWWBAM2YONRPGLWVDY6UNTLJERJYL/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DOYKBQOHSRM7JQYUIYUWFOXI2JZ2J5RD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PZWR6KSIKXO4B2TXBB3WH6YTNYHN46OY/
- https://security.gentoo.org/glsa/202210-24
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AELSWWBAM2YONRPGLWVDY6UNTLJERJYL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DOYKBQOHSRM7JQYUIYUWFOXI2JZ2J5RD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZWR6KSIKXO4B2TXBB3WH6YTNYHN46OY/
Frequently Asked Questions
What is CVE-2022-24882?
CVE-2022-24882 is a vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol (RDP), where NT LAN Manager (NTLM) authentication does not properly abort when an empty password is provided.
Which software versions are affected by CVE-2022-24882?
Versions of FreeRDP prior to 2.7.0 are affected by CVE-2022-24882.
How severe is CVE-2022-24882?
CVE-2022-24882 has a severity score of 7.5 (critical).
How can I fix CVE-2022-24882?
To fix CVE-2022-24882, upgrade to FreeRDP version 2.7.0 or later.
Where can I find more information about CVE-2022-24882?
More information about CVE-2022-24882 can be found at the following references: - [GitHub Pull Request #7750](https://github.com/FreeRDP/FreeRDP/pull/7750) - [FreeRDP 2.7.0 Release](https://github.com/FreeRDP/FreeRDP/releases/tag/2.7.0) - [GitHub Security Advisory GHSA-6x5p-gp49-3jhh](https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6x5p-gp49-3jhh)
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/references
- agent/severity
- agent/remedy
- agent/title
- agent/author
- agent/tags
- agent/first-publish-date
- agent/description
- agent/event
- vendor/freerdp
- canonical/freerdp freerdp
- vendor/fedoraproject
- canonical/fedoraproject extra packages for enterprise linux
- version/fedoraproject extra packages for enterprise linux/8.0
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36