Security researchers at Check Point have uncovered multiple critical reverse RDP vulnerabilities in the Apache Guacamole. Apache Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH, together with MFA (Multi-Factor Authentication), compliance checks on the BYOD side, and several security controls like IPS, SOC anomaly detections and more. It allows system administrators to remotely access and manage Windows and Linux machines.
With large numbers of employees now working from home, remote access systems that let users control computers in the office from their home systems are increasingly popular. One free version is the open-source software Apache Guacamole. It has more than 10 million downloads to date on Docker Hub. Apache Guacamole permits users within an organization to remotely access their desktops using a web browser post an authentication process.
“In particular, it was vulnerable to several critical Reverse RDP Vulnerabilities and affected by multiple new vulnerabilities found in FreeRDP. In particular, all versions of Guacamole that were released before January 2020 are using vulnerable versions of FreeRDP”. peruses the analysis shared by CheckPoint Researchers.
These vulnerabilities would allow an attacker or any threat actor who successfully compromises a computer inside the organization, to attack back via the Guacamole gateway when an unsuspecting worker connects to his infected machine. Thus, allowing a noxious actor to achieve full control over the Guacamole server, and to intercept and control all other connected sessions.
The attacks stem from one of the two possible ways the gateway can be taken over:
Reverse Attack Scenario: A compromised machine inside the corporate network that leverages an incoming benign connection to attack the Apache gateway, aiming to take it over.
Malicious Worker Scenario: A rogue employee, with his malicious computer inside the network, can leverage his hold on both ends of the connection to take over the gateway.
Check Point researcher said it identified the vulnerabilities as part of Guacamole’s recent security audit, which also added support for FreeRDP 2.0.0 towards the end of January 2020.
It’s noteworthy that FreeRDP, an open-source RDP client had its share of remote code execution flaws, which were uncovered early a year ago following the release of 2.0.0-rc4.
- CVE-2020-9497|Information disclosure vulnerabilities:
- Two separate flaws were identified in the developer’s implementation for the default RDP channels which is responsible for the audio from the server called “rdpsnd”(RDP Sound).
- The first vulnerability exists in the integration point between the guacamole-server and FreeRDP, which proved to be error-prone. The incoming messages are wrapped by FreeRDP’s wStream objects, and the data should be parsed using this object’s API.
- The second vulnerability exists in the same RDP channel. It sends the Out-of-Bounds data to the connected client, instead of back to the RDP server.
- The first of the two flaws above allows an attacker to send a maliciously crafted rdpsnd channel message that could lead to an out-of-bounds read similar to heartbleed-style. A second bug in the same channel is a data leak that transmits the out-of-bounds data to a connected client.
- Additional information disclosure vulnerability was found and represented under the same CVE, it is a variant of the aforementioned flaw that resides in a different channel called “guacai,” responsible for sound messages. This channel is responsible for the “Audio Input” and this channel is disabled by default.
Check Point researchers have also uncovered two additional vulnerabilities, out-of-bounds reads that take advantage of a design flaw in FreeRDP while finding a way to memory corruption vulnerability that could be leveraged to exploit the above data leaks.
- CVE-2020-9498|Memory Corruption flaw in Guacamole:
- The flaw exists in an abstraction layer “guac_common_svc.c” laid over rdpsnd and rdpdr (Device Redirection) channels, arises from a memory safety violation, resulting in a Dangling-Pointer vulnerability that allows an attacker to achieve code execution by combining the two flaws.
- An attacker from a malicious RDP server could send an out of order message fragment that uses the previously freed wStream object, effectively becoming a Use-After-Free vulnerability.
Finally, by using vulnerabilities CVE-2020-9497 and CVE-2020-9498 an attacker could achieve a Remote Code Execution (RCE) to take control of the guacd process when a remote user requests to connect to his compromised computer.
Check Point researchers has demonstrated the exploitation of these vulnerabilities as a proof-of-concept.
The exploitation of these vulnerabilities could allow remote attackers to take full control over the Guacamole server, intercept, and control all other connected sessions.
Apache Guacamole before 1.2.0.
Apache, the maintainers of Guacamole has released a patch fixing these vulnerabilities in June 2020.
SanerNow security content has been published to detect this vulnerability. We strongly recommend installing the security updates without any delay.