Apache Guacamole Remote Desktop Protocol (RDP) vulnerabilities: What you need to know
In June of 2020, security researchers at Check Point Research discovered multiple critical RDP (Remote Desktop Protocol) flaws in Apache Guacamole. The nature of these vulnerabilities could enable hackers to exploit the gateway and disclose sensitive information remotely. Besides gaining control of the Guacamole server, a successful RDP exploit may allow adversaries to eavesdrop on all sessions, launch new sessions, control other systems on the enterprise network and record account credentials.
In this post, we’ll highlight the common vulnerabilities and exposures associated with the Apache Guacamole RDP client and share the CVE details of each vulnerability. We’ll then discuss Apache’s response, i.e., the steps they’ve taken to address these weaknesses. But before anything else, let’s have a quick overview of Apache Guacamole RDP tool and its purpose.
Learn Vulnerability Management
Apache Guacamole Remote Desktop Protocol: An overview
With a large number of companies allowing personnel to work from home in the wake of the COVID-19 pandemic, remote access tools that enable users to control office computers from their home are becoming increasingly popular. One popular tool is Apache Guacamole, an open-source remote desktop gateway that works in an HTML5 web environment.
Users can access Apache Guacamole on a wide range of devices, directly from Chrome, Safari and other web browsers. The tool has received over 10 million downloads to date, making it one of the most prominent RDP clients in the market. Another reason for its appeal is that it requires no client software or plugins — the reason why it’s called clientless.
Guacamole also contains support for RDP protocol, but not just one. It has support for RDP, VNC and even SSH. With Apache Guacamole, users can access corporate systems from any remote location using their web browser. The connection transmits through the Guacamole server, which manages the communication between the machine and the user. With both the desktop machine and the server hosted on the cloud, Apache Guacamole allows users to combine the flexibility of RDP with the benefits of cloud computing.
Reverse RDP vulnerabilities in Apache Guacamole
Check Point researchers identified various vulnerabilities as well as a way to connect them to an exploitable chain. Adversaries carrying out the process could take full control of the Guacamole gateway and each connection session. Below is a short video that briefly demonstrates the process.
Check Point already had an idea about FreeRDP, which is one of the RDP clients that Guacamole uses. However, the vulnerabilities present in FreeRDP were only patched in its 2.0.0-rc4 version, which came out in January 2020. This means all versions introduced before that are using exploitable versions of FreeRDP. This encouraged researchers to analyze previous versions of Guacamole, which were running vulnerable FreeRDP versions. The outcome? Researchers discovered a range of vulnerabilities that affect Apache Guacamole 1.1.0.
Let’s take a look at the CVE list.
CVE-2020-9497 – Information disclosure vulnerability
Check Point researchers found two information disclosure flaws impacting developers’ custom setup of an RDP channel designed to accommodate audio packets from the server. One vulnerability could enable a hacker to send a malicious rdpsnd channel message that could result in an out-of-bounds Heartbleed-style information disclosure. The other vulnerability pertains to a data leak that sends out-of-bounds information to a malicious client, rather than transmitting it back to the RDP server.
Researchers also detected a third vulnerability that is a variant of the second one. It resides in a separate channel known as “guacai”, which is inactive by default and is responsible for sound messages. All three vulnerabilities affect Guacamole 1.0.0 and older variants.
CVE-2020-9498 – Memory corruption flaw
CVE-2020-9498 is a memory corruption flaw that could enable adversaries to read and write exploits inside the vulnerable server. The flaw fuels the creation of a user-after-free vulnerability, which can be combined with the exploitation of other bugs to execute any code on the system.
By exploiting CVE-2020-9497 and CVE-2020-9498, Check Point researchers were able to create a privilege escalation scenario that initiates by gaining control over the single guacd process. After that, they connected the initial process over TCP 4822, transitioning from lower- to higher-level privileges. Then the layout and content were harvested from the memory. Researchers also indicated that hackers can use the previously stolen UUIDs to join all of the existing connections. It’s even possible for them to switch on the read-only privilege without being the owner after the exploit.
By leveraging these weaknesses, researchers were able to gain complete control of a test Apache Guacamole gateway. This allowed them to intercept all the data that was flowing through the channel (as demonstrated in the video).
CVE-2018-8786 – Out-of-bounds reads in FreeRDP
Besides the previous vulnerabilities, Check Point researchers also discovered a flaw in FreeRDP, which they classified as CVE-2018-8786. The flaw can result in out-of-bounds read vulnerabilities that may allow hackers to gain control of the server and intercept the information.
Learn Vulnerability Management
Conclusion
Check Point relayed the vulnerabilities to FreeRDP and Apache. Following this, Apache released a patch and issued two CVE-IDs to the vulnerabilities. Organizations that use Guacamole Apache to aid remote work are recommended to keep their servers up to date. If you use this RDP client in your organization, you can update to or install the patched version that is dubbed as version 1.2.0.
Additionally, you can look into solutions that use a data transport layer for every remote session’s connection, like Netop Remote Control. Solutions like these enforce the negotiation of the encryption level between the system initiating the connection request and the system being accessed. As a hacker would need to exploit a host system’s module (which doesn’t rely on an open protocol like RDP), the feasibility of carrying out an RDP attack would decrease significantly, giving you peace of mind.
Sources
- Would you like some RCE with your Guacamole?, Check Point Research
- Avoid RDP Exploits with a Secure Remote Desktop, Netop
Learn Vulnerability Management
Build your vulnerability assessment and management skills with dozens of courses. What you'll learn- Vulnerability scanning
- Classifying and prioritizing
- Patching and mitigating
- Building a program
- And more
In this Series
- Apache Guacamole Remote Desktop Protocol (RDP) vulnerabilities: What you need to know
- The most popular binary exploitation techniques
- Roadmap for performing an Active Directory assessment
- The importance of asset visibility in the detection and remediation of vulnerabilities
- Digium Phones Under Attack and how web shells can be really dangerous
- vSingle is abusing GitHub to communicate with the C2 server
- The most dangerous vulnerabilities exploited in 2022
- Follina — Microsoft Office code execution vulnerability
- Spring4Shell vulnerability details and mitigations
- How criminals are taking advantage of Log4shell vulnerability
- Microsoft Autodiscover protocol leaking credentials: How it works
- How to write a vulnerability report
- How to report a security vulnerability to an organization
- PrintNightmare CVE vulnerability walkthrough
- Top 30 most exploited software vulnerabilities being used today
- The real dangers of vulnerable IoT devices
- How criminals leverage a Firefox fake extension to target Gmail accounts
- How criminals have abused a Microsoft Exchange flaw in the wild
- How to discover open RDP ports with Shodan
- Time to patch: Vulnerabilities exploited in under five minutes?
- Whitespace obfuscation: PHP malware, web shells and steganography
- New Sudo flaw used to root on any standard Linux installation
- Turla Crutch backdoor: analysis and recommendations
- Volodya/BuggiCorp Windows exploit developer: What you need to know
- AWS APIs abuse: Watch out for these vulnerable APIs
- How to reserve a CVE: From vulnerability discovery to disclosure
- SonicWall firewall VPN vulnerability (CVE-2020-5135): Overview and technical walkthrough
- Top 25 vulnerabilities exploited by Chinese nation-state hackers (NSA advisory)
- Zerologon CVE-2020-1472: Technical overview and walkthrough
- Unpatched address bar spoofing vulnerability impacts major mobile browsers
- Software vulnerability patching best practices: Patch everything, even if vendors downplay risks
- What is a vulnerability disclosure policy (VDP)?
- Common vulnerability assessment types
- Common security threats discovered through vulnerability assessments
- Android vulnerability allows attackers to spoof any phone number
- Malicious Docker images: How to detect vulnerabilities and mitigate risk
- Linux vulnerabilities: How unpatched servers lead to persistent backdoors
- Tesla Model 3 vulnerability: What you need to know about the web browser bug
- How to identify and prevent firmware vulnerabilities
- Will CVSS v3 change everything? Understanding the new glossary
- URGENT/11 vulnerability
- 32 hardware and firmware vulnerabilities
- The Zero Day Initiative
- CVE-2018-11776 RCE Flaw in Apache Struts Could Be Root Cause of Clamorous Hacks
- XML vulnerabilities are still attractive targets for attackers
- Broadpwn Wi-Fi Vulnerability: How to Detect & Mitigate
- Mobile Systems Vulnerabilities
- 10 Security Vulnerabilities That Broke the World Wide Web in 2016
- Most Exploited Vulnerabilities: by Whom, When, and How
- Exploiting CVE-2015-8562 (A New Joomla! RCE)
- Security vulnerabilities of voice recognition technologies
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Vulnerabilities
Vulnerabilities
