Apache Guacamole Remote Desktop Protocol (RDP) vulnerabilities: What you need to know
In June of 2020, security researchers at Check Point Research discovered multiple critical RDP (Remote Desktop Protocol) flaws in Apache Guacamole. The nature of these vulnerabilities could enable hackers to exploit the gateway and disclose sensitive information remotely. Besides gaining control of the Guacamole server, a successful RDP exploit may allow adversaries to eavesdrop on all sessions, launch new sessions, control other systems on the enterprise network and record account credentials.
In this post, we’ll highlight the common vulnerabilities and exposures associated with the Apache Guacamole RDP client and share the CVE details of each vulnerability. We’ll then discuss Apache’s response, i.e., the steps they’ve taken to address these weaknesses. But before anything else, let’s have a quick overview of Apache Guacamole RDP tool and its purpose.
Apache Guacamole Remote Desktop Protocol: An overview
With a large number of companies allowing personnel to work from home in the wake of the COVID-19 pandemic, remote access tools that enable users to control office computers from their home are becoming increasingly popular. One popular tool is Apache Guacamole, an open-source remote desktop gateway that works in an HTML5 web environment.
Users can access Apache Guacamole on a wide range of devices, directly from Chrome, Safari and other web browsers. The tool has received over 10 million downloads to date, making it one of the most prominent RDP clients in the market. Another reason for its appeal is that it requires no client software or plugins — the reason why it’s called clientless.
Guacamole also contains support for RDP protocol, but not just one. It has support for RDP, VNC and even SSH. With Apache Guacamole, users can access corporate systems from any remote location using their web browser. The connection transmits through the Guacamole server, which manages the communication between the machine and the user. With both the desktop machine and the server hosted on the cloud, Apache Guacamole allows users to combine the flexibility of RDP with the benefits of cloud computing.
Reverse RDP vulnerabilities in Apache Guacamole
Check Point researchers identified various vulnerabilities as well as a way to connect them to an exploitable chain. Adversaries carrying out the process could take full control of the Guacamole gateway and each connection session. Below is a short video that briefly demonstrates the process.
Check Point already had an idea about FreeRDP, which is one of the RDP clients that Guacamole uses. However, the vulnerabilities present in FreeRDP were only patched in its 2.0.0-rc4 version, which came out in January 2020. This means all versions introduced before that are using exploitable versions of FreeRDP. This encouraged researchers to analyze previous versions of Guacamole, which were running vulnerable FreeRDP versions. The outcome? Researchers discovered a range of vulnerabilities that affect Apache Guacamole 1.1.0.
Let’s take a look at the CVE list.
CVE-2020-9497 – Information disclosure vulnerability
Check Point researchers found two information disclosure flaws impacting developers’ custom setup of an RDP channel designed to accommodate audio packets from the server. One vulnerability could enable a hacker to send a malicious rdpsnd channel message that could result in an out-of-bounds Heartbleed-style information disclosure. The other vulnerability pertains to a data leak that sends out-of-bounds information to a malicious client, rather than transmitting it back to the RDP server.
Researchers also detected a third vulnerability that is a variant of the second one. It resides in a separate channel known as “guacai”, which is inactive by default and is responsible for sound messages. All three vulnerabilities affect Guacamole 1.0.0 and older variants.
CVE-2020-9498 – Memory corruption flaw
CVE-2020-9498 is a memory corruption flaw that could enable adversaries to read and write exploits inside the vulnerable server. The flaw fuels the creation of a user-after-free vulnerability, which can be combined with the exploitation of other bugs to execute any code on the system.
By exploiting CVE-2020-9497 and CVE-2020-9498, Check Point researchers were able to create a privilege escalation scenario that initiates by gaining control over the single guacd process. After that, they connected the initial process over TCP 4822, transitioning from lower- to higher-level privileges. Then the layout and content were harvested from the memory. Researchers also indicated that hackers can use the previously stolen UUIDs to join all of the existing connections. It’s even possible for them to switch on the read-only privilege without being the owner after the exploit.
By leveraging these weaknesses, researchers were able to gain complete control of a test Apache Guacamole gateway. This allowed them to intercept all the data that was flowing through the channel (as demonstrated in the video).
CVE-2018-8786 – Out-of-bounds reads in FreeRDP
Besides the previous vulnerabilities, Check Point researchers also discovered a flaw in FreeRDP, which they classified as CVE-2018-8786. The flaw can result in out-of-bounds read vulnerabilities that may allow hackers to gain control of the server and intercept the information.
Check Point relayed the vulnerabilities to FreeRDP and Apache. Following this, Apache released a patch and issued two CVE-IDs to the vulnerabilities. Organizations that use Guacamole Apache to aid remote work are recommended to keep their servers up to date. If you use this RDP client in your organization, you can update to or install the patched version that is dubbed as version 1.2.0.
Additionally, you can look into solutions that use a data transport layer for every remote session’s connection, like Netop Remote Control. Solutions like these enforce the negotiation of the encryption level between the system initiating the connection request and the system being accessed. As a hacker would need to exploit a host system’s module (which doesn’t rely on an open protocol like RDP), the feasibility of carrying out an RDP attack would decrease significantly, giving you peace of mind.
Would you like some RCE with your Guacamole?, Check Point Research