Multiple RDP vulnerabilities in Apache Guacamole
Two critical vulnerabilities were found with Apache’s popular open-source remote desktop gateway Apache Guacamole. These vulnerabilities could allow an attacker who has successfully compromised a device within a corporate network, to attack back via the Guacamole gateway when user connects to this infected device.
This could also allow the attacker to take full control over the Guacamole server and to intercept and control all other sessions.
Apache Guacamole is an open-source remote destktop gateway solution. When installed on a company’s server, it allows users to remotely connect to the company server via a web browser.
Check Point Research has discovered two critical vulnerabilities with Apache Guacamole tracked as CVE-2020-9497 and CVE-2020-9498.
The vulnerability, CVE-2020-9497, enables an information disclosure risk. This flaw allows an attacker to craft a malicious RDP Sound (rdpsnd) message which could then result in information leakage from the memory of the guacd process handling the connection.
CVE-2020-9498 is a memory corruption flaw allowing remote code execution. If a user connects to a compromised RDP server, he’ll receive a series of specially-crafted PDUs. It could then result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process.
By exploiting these two vulnerabilities, an attacker could execute remote code execution (RCE) on a malicious RDP server and take control of the guacd process when remote user requests to connect to this infected machine.
For more detailed information please refer to the following link:
CERT.be recommends system administrators to apply the latest patches released by the vendor as soon as possible (at least version 1.2.0: https://guacamole.apache.org/releases/1.2.0/).