Cybersecurity specialists report the detection of two severe vulnerabilities in the popular FreeRDP programming language. According to the report, successful exploitation of these flaws would allow threat actors to seriously compromise affected systems.

Below are brief descriptions of the reported flaws, in addition to their respective tracking keys and scores assigned under the Common Vulnerability Scoring System (CVSS).

CVE-2021-41159: A boundary error when processing /gt:rpc connections would allow threat actors to send specially crafted data to the client from a remote server, leading to arbitrary code execution on the target system.

This is a high severity flaw and received a CVSS score of 7,710, as its successful exploitation would put the entire affected system at risk.

CVE-2021-41160: A boundary error when processing connections with GDI or SurfaceCommands would allow a remote server to send specially crafted data to the client, trigger an out-of-bounds write, and execute arbitrary code.

The flaw received a CVSS score of 7.7/10 and its successful exploitation would allow threat actors to take full control of the compromised system.

According to the report, these flaws reside in the following Versions of FreeRDP: 2.0.0, 2.0.0 rc0, 2.0.0 rc1, 2.0.0 rc2, 2.0.0 rc3, 2.0.0 rc4, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.3.0, 2.3.1, 2.3.2 and 2.4.0.

Although both flaws can be exploited by unauthenticated remote attackers over the Internet, so far no active exploitation attempts or the presence of a malware variant associated with the attack have been detected. On the other hand, security patches are already supported, so users of exposed versions are recommended to update as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Two critical vulnerabilities affect millions of FreeRDP servers. Patch them before someone installs a backdoor appeared first on Information Security Newspaper | Hacking News.

source

You May Also Like

Important privilege escalation flaw in SonicWall Global VPN client: Patch immediately

Cybersecurity specialists reported the finding of a severe vulnerability affecting SonicWall Global…

4 critical vulnerabilities in Fortinet FortiWeb product

Cybersecurity specialists report the detection of four vulnerabilities in FortiWeb, the web…

3 critical vulnerabilities in Veeam Backup & Replication solution allow ransomware to steal credentials & encrypt your backups

For virtual environments built on VMware vSphere, Nutanix AHV, and Microsoft Hyper-V…

3 critical vulnerabilities in Node.js allow hackers to take control of your domains

Cybersecurity specialists report the detection of three critical vulnerabilities in Node.js, the…