CVE-2022-24882
📋 TL;DR
This vulnerability allows attackers to bypass NTLM authentication in FreeRDP-based RDP servers by providing an empty password. This affects FreeRDP server implementations prior to version 2.7.0, potentially enabling unauthorized access to remote desktop sessions. RDP clients are not impacted by this issue.
💻 Affected Systems
- FreeRDP-based RDP servers
- GNOME Remote Desktop
- Other FreeRDP server implementations
📦 What is this software?
Extra Packages For Enterprise Linux by Fedoraproject
View all CVEs affecting Extra Packages For Enterprise Linux →
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Freerdp by Freerdp
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of RDP servers allowing unauthenticated attackers to gain remote access to systems, potentially leading to data theft, ransomware deployment, or lateral movement within networks.
Likely Case
Unauthorized access to RDP servers by attackers who can reach the vulnerable service, leading to credential harvesting, data exfiltration, and initial foothold establishment.
If Mitigated
Limited impact with proper network segmentation, strong authentication controls, and monitoring in place to detect authentication anomalies.
🎯 Exploit Status
The vulnerability is straightforward to exploit as it involves sending an empty password during NTLM authentication. No authentication is required to attempt exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.0
Vendor Advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6x5p-gp49-3jhh
Restart Required: Yes
Instructions:
1. Download FreeRDP 2.7.0 or later from official repositories. 2. Stop the RDP server service. 3. Install the updated version. 4. Restart the RDP server service. 5. Verify the version is 2.7.0 or higher.
🔧 Temporary Workarounds
Disable NTLM Authentication
linuxConfigure RDP server to use alternative authentication methods like Kerberos or certificate-based authentication instead of NTLM.
# Configure authentication method in FreeRDP server configuration
# Set authentication to use Kerberos or certificates
Network Access Control
linuxRestrict access to RDP servers using firewall rules to only allow connections from trusted networks or IP addresses.
# Example iptables rule to restrict RDP access
iptables -A INPUT -p tcp --dport 3389 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 3389 -j DROP
🧯 If You Can't Patch
- Implement network segmentation to isolate RDP servers from critical systems
- Enable multi-factor authentication for RDP access if supported
🔍 How to Verify
Check if Vulnerable:
Check FreeRDP version with 'xfreerdp --version' or check installed package version. If version is below 2.7.0, the system is vulnerable.Check Version:
xfreerdp --versionVerify Fix Applied:
After patching, verify version is 2.7.0 or higher using 'xfreerdp --version' or package manager query.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts with empty passwords
- Successful authentications from unexpected sources
- Multiple authentication attempts in short timeframes
Network Indicators:
- RDP connection attempts with NTLM authentication
- Traffic to RDP port 3389 from untrusted sources
SIEM Query:
source="rdp_server.log" AND (event="authentication_failed" AND password="") OR (event="authentication_successful" AND source_ip NOT IN trusted_ips)🔗 References
- https://github.com/FreeRDP/FreeRDP/pull/7750
- https://github.com/FreeRDP/FreeRDP/releases/tag/2.7.0
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6x5p-gp49-3jhh
- https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/issues/95
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AELSWWBAM2YONRPGLWVDY6UNTLJERJYL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DOYKBQOHSRM7JQYUIYUWFOXI2JZ2J5RD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZWR6KSIKXO4B2TXBB3WH6YTNYHN46OY/
- https://security.gentoo.org/glsa/202210-24
- https://github.com/FreeRDP/FreeRDP/pull/7750
- https://github.com/FreeRDP/FreeRDP/releases/tag/2.7.0
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6x5p-gp49-3jhh
- https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/issues/95
- https://lists.debian.org/debian-lts-announce/2025/02/msg00034.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AELSWWBAM2YONRPGLWVDY6UNTLJERJYL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DOYKBQOHSRM7JQYUIYUWFOXI2JZ2J5RD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZWR6KSIKXO4B2TXBB3WH6YTNYHN46OY/
- https://security.gentoo.org/glsa/202210-24
