In FreeRDP less than or equal to 2.0.0, there is an out-of-bound read in ntlmreadntlmv2client_challenge that reads up to 28 bytes out-of-bound to an internal structure. This has been fixed in 2.1.0.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "211676456731767137019728773717396383906", "142002718534890085186882303774041871813", "326590373457921532474577125776340758673", "92446602161392049848322987325756642675", "244837119603015813013823863255436314461", "88986712316767417463579653199593800425", "205040071286649792016492765856929257982", "322933729723612140702113726666585771660" ] }, "signature_type": "Line", "source": "https://github.com/freerdp/freerdp/commit/c098f21fdaadca57ff649eee1674f6cc321a2ec4", "signature_version": "v1", "target": { "file": "winpr/libwinpr/sspi/NTLM/ntlm_compute.c" }, "deprecated": false, "id": "CVE-2020-11086-5849ac3d" }, { "digest": { "function_hash": "191925567384038713584274953095323463496", "length": 652.0 }, "signature_type": "Function", "source": "https://github.com/freerdp/freerdp/commit/c098f21fdaadca57ff649eee1674f6cc321a2ec4", "signature_version": "v1", "target": { "file": "winpr/libwinpr/sspi/NTLM/ntlm_compute.c", "function": "ntlm_read_ntlm_v2_client_challenge" }, "deprecated": false, "id": "CVE-2020-11086-a90348c5" } ] }