Security researchers at Check Point have uncovered multiple critical reverse RDP vulnerabilities in the Apache Guacamole. Apache Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH, together with MFA (Multi-Factor Authentication), compliance checks on the BYOD side, and several security controls like IPS, SOC anomaly detections, and more. It allows system administrators to access and manage Windows and Linux machines remotely. The discovery of Vulnerabilities CVE-2020-9497 in Apache Guacamole results from using a good vulnerability management tool.
With large numbers of employees now working from home, remote access systems that let users control computers in the office from their home systems are increasingly popular. One free version is the open-source software Apache Guacamole. It has more than 10 million downloads to date on Docker Hub. Apache Guacamole permits users within an organization to remotely access their desktops using a web browser post an authentication process. A good vulnerability management software can result in a secure environment for remote access.
“In particular, it was vulnerable to several critical Reverse RDP Vulnerabilities and affected by multiple new vulnerabilities found in FreeRDP. In particular, all Guacamole versions released before January 2020 use vulnerable versions of FreeRDP”. peruses the analysis shared by CheckPoint Researchers.
These CVE-2020-9497 vulnerabilities would allow an attacker or any threat actor who successfully compromises a computer inside the organization to attack back via the Guacamole gateway when an unsuspecting worker connects to his infected machine. Thus, allowing a noxious actor to achieve full control over the Guacamole server and intercept and control all other connected sessions.
Vulnerability Details:
The attacks stem from one of the two possible ways the gateway can be taken over:
Reverse Attack Scenario: A compromised machine inside the corporate network leverages an incoming benign connection to attack the Apache gateway, aiming to take it over.
Malicious Worker Scenario: With his malicious computer inside the network, a rogue employee can leverage his hold on both ends of the connection to take over the gateway.
Check Point researcher said it identified the vulnerabilities as part of Guacamole’s recent security audit, which also added support for FreeRDP 2.0.0 towards the end of January 2020.
Notably, FreeRDP, an open-source RDP client, had its share of remote code execution flaws uncovered early a year ago following the release of 2.0.0-rc4.
-
CVE-2020-9497|Information disclosure vulnerabilities:
- Two separate flaws were identified in the developer’s implementation for the default RDP channels, which are responsible for the audio from the server called “rdpsnd”(RDP Sound).
- The first vulnerability exists in the integration point between the guacamole server and FreeRDP, which proved to be error-prone. The incoming messages are wrapping themselves by FreeRDP’s wstream objects, and the data should be in parsing with the use of this object’s API.
- The second vulnerability exists in the same RDP channel. It sends the Out-of-Bounds data to the connected client instead of back to the RDP server.
- The first of the two flaws above allows an attacker to send a maliciously crafted rdpsnd channel message that could lead to an out-of-bounds read similar to heart bleed-style. A second bug in the same channel is a data leak that transmits out-of-bounds data to a connected client.
- Additional information disclosure vulnerability is present and represented under the same CVE. It is a variant of the aforementioned flaw that resides in a different channel called “guacai,” responsible for sound messages. This channel is responsible for the “Audio Input,” and this channel is in disable mode by default.
Check Point researchers also uncover two additional vulnerabilities, out-of-bounds reads that exploit a design flaw in FreeRDP. While finding a way to memory corruption vulnerability that could be of leverage to exploit the above data leaks.
-
CVE-2020-9498|Memory Corruption Flaw in Guacamole:
- The flaw exists in an abstraction layer “guac_common_svc.c” laid over rdpsnd and rdpdr (Device Redirection) channels, arises from a memory safety violation, resulting in a Dangling-Pointer vulnerability that allows an attacker to achieve code execution by combining the two flaws.
- An attacker from a malicious RDP server could send an out-of-order message fragment that uses the previously freed wstream object, effectively becoming a Use-After-Free vulnerability.
Finally, by using vulnerabilities CVE-2020-9497 and CVE-2020-9498, an attacker could achieve a Remote Code Execution (RCE). This takes control of the guacd process when a remote user requests to connect to his compromised computer.
Check Point researchers have demonstrated the exploitation of these vulnerabilities as a proof-of-concept.
Impact
Exploiting these CVE-2020-9497 vulnerabilities could allow remote attackers to take full control of the Guacamole server. And therefore, intercept and control all other connected sessions.
Affected Products
Apache Guacamole before 1.2.0.
Solution
Apache, the maintainers of Guacamole, released a patch fixing these vulnerabilities in June 2020.
SanerNow security content is present to detect this vulnerability. We strongly recommend installing the security updates without any delay.