FreeRDP IMA ADPCM Audio Processing Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in FreeRDP clients prior to version 3.24.2. When audio redirection is enabled, a malicious RDP server can crash the client by sending IMA ADPCM audio data with an invalid step index value of 89 or higher. The FreeRDP audio decoder does not validate the step index before using it to access a lookup table, leading to an assertion failure and process termination. This issue affects all FreeRDP-based clients, including xfreerdp and the SDL client.

Impact

Exploitation of this vulnerability causes the FreeRDP client to crash. The issue arises from an unvalidated audio step index that, when out of range, triggers an assertion failure, leading to a process abort. This vulnerability is classified as a reachable assertion denial-of-service, according to the Common Weakness Enumeration.

Reproduction

The vulnerability can be reproduced by using a crafted IMA ADPCM audio block that includes an out-of-range step index value (89-255). This can be done by setting up a malicious RDP server that sends such audio data to a FreeRDP client with audio redirection enabled. When the client receives the audio block, it will crash due to the unvalidated step index causing an assertion failure.

Remediation

Users can upgrade to FreeRDP version 3.24.2 or later to address this vulnerability.