Pierluigi Paganini July 02, 2020

Security researchers discovered multiple critical reverse RDP vulnerabilities in the remote desktop application Apache Guacamole.

Security experts from Check Point Research have discovered multiple critical reverse RDP vulnerabilities in the Apache Guacamole, which is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH and allows system administrators to remotely access and manage Windows and Linux machines.

The vulnerabilities could be exploited by threat actors to achieve full control over the Guacamole server, intercept, and control all other connected sessions.

The issues are specifically critical now, in a ‘new normal’ scenario post-COVID-19.

Apache Guacamole allows users within an organization to remotely access their desktops simply using a web browser post an authentication process.

Apache Guacamole currently has amassed over 10 million downloads to date on Docker Hub.

“In particular, it was vulnerable to several critical Reverse RDP Vulnerabilities, and affected by multiple new vulnerabilities found in FreeRDP.  In particular, all versions of Guacamole that were released before January 2020 are using vulnerable versions of FreeRDP.” reads the analysis published by CheckPoint Researchers.

“These vulnerabilities would allow an attacker, or any threat actor who     successfully compromises a computer inside the organization, to attack back via the Guacamole gateway when an unsuspecting worker connect to his infected machine. This allows a malicious actor to achieve full control over the Guacamole server, and to intercept and control all other connected sessions.”

Once compromised a computer inside the target organization, an attacker can launch an attack on the Guacamole gateway when an unsuspecting worker attempt to connect to an infected machine. Another attack scenario sees a rogue employee who uses a computer inside the target network to hijack the gateway.

CheckPoint researchers reported the vulnerabilities to Apache on March 31, and the company addressed it with the release of a new version in June 2020.

“Knowing that our vulnerabilities in FreeRDP were only patched on version 2.0.0-rc4, this means that all versions that were released before January 2020 are using vulnerable versions of FreeRDP.” reads the report published by CheckPoint.

“We could have stopped here and estimated the high probability that most companies haven’t yet upgraded to the latest versions, and could already be attacked using these known 1-Days.”

Below the list of vulnerabilities found by the experts:

• CVE-2020-9497 – Two Information disclosure vulnerabilities impact the developers’ custom implementation of an RDP channel used to handle audio packets from the server (“rdpsnd”). The first vulnerability could allow be exploited by an attacker using a crafted malicious rdpsnd message that could lead to an out-of-bounds read Heartbleed-style. The second vulnerability is a data leak that transmits the out-of-bounds data to a connected client, instead of back to the RDP server.

CheckPoint also spotted a third information disclosure vulnerability that is a variant of the above vulnerability that resides in a different channel called “guacai,” which is responsible for sound messages and is disabled by default.

• Out-of-bounds reads in FreeRDP — Check Point researchers they uncovered two additional out-of-bounds reads issued that leverage a design flaw in FreeRDP.

• CVE-2020-9498 – Memory Corruption flaw in Guacamole

By using vulnerabilities CVE-2020-9497 and CVE-2020-9498, “a malicious corporate computer (our RDP ‘server’) can take control of the guacd process when a remote user requests to connect to his (infected) computer.”

Pierluigi Paganini

(SecurityAffairs – hacking, Apache Guacamole)

[adrotate banner=”5″]

[adrotate banner=”13″]