FreeRDP Certificate Handling Vulnerability on Windows Platforms Leading to Heap-Based Out-of-Bounds Read

A vulnerability in FreeRDP's certificate handling on Windows has been identified, prior to version 3.20.0. The issue arises because the function 'freerdp_certificate_data_hash_' uses the Microsoft-specific '_snprintf' function to format certificate cache filenames without ensuring proper NUL termination when truncation occurs. According to Microsoft, '_snprintf' does not add a terminating NUL byte if the output exceeds the buffer size. This can lead to a heap-based out-of-bounds read if an attacker controls the hostname, for example through server redirection or a manipulated .rdp file. While default configurations usually terminate the connection before any sensitive data can be exposed, there is still a risk of an unintended memory read or a client crash under certain conditions.

Impact

Exploitation of this vulnerability can cause a heap-based out-of-bounds read, potentially leading to a client crash or an unintended memory read.

Remediation

Users can upgrade to FreeRDP version 3.20.0 or later to address this vulnerability.