{"id": "THN:77F832E3FCBED966C47D5256B7841AFD", "hash": "b279693c6b3f0eee4ab9fe407ef6da38", "type": "thn", "bulletinFamily": "info", "title": "Critical Apache Guacamole Flaws Put Remote Desktops at Risk of Hacking", "description": "[](<https://thehackernews.com/images/-iDfhKNfuyPU/Xv2hDZP_8kI/AAAAAAAAAiM/CpsGHGEN1PAskWsOIa-vaJhgwSK6NyFVQCLcBGAsYHQ/s728-e100/Apache-Guacamole-Hacking.jpg>)\n\nA new research has uncovered multiple critical [reverse RDP vulnerabilities](<https://thehackernews.com/2020/05/reverse-rdp-attack-patch.html>) in **Apache Guacamole**, a popular remote desktop application used by system administrators to access and manage Windows and Linux machines remotely. \n \nThe reported flaws could potentially let bad actors achieve full control over the Guacamole server, intercept, and control all other connected sessions. \n \nAccording to a [report](<https://blog.checkpoint.com/2020/07/02/hole-y-guacamole-fixing-critical-vulnerabilities-in-apaches-popular-remote-desktop-gateway/>) published by Check Point Research and shared with The Hacker News, the flaws grant \"an attacker, who has already successfully compromised a computer inside the organization, to launch an attack on the Guacamole gateway when an unsuspecting worker tries to connect to an infected machine.\" \n \nAfter the cybersecurity firm responsibly disclosed its findings to Apache, the maintainers of Guacamole, on March 31, the company released a [patched version](<https://guacamole.apache.org/releases/1.2.0/>) in June 2020. \n\n\n \n[Apache Guacamole](<https://guacamole.apache.org/>) is a popular open-source clientless remote desktop gateways solution. When installed on a company's server, it allows users to remotely connect to their desktops simply using a web browser post an authentication process. \n \nNotably, Apache Guacamole remote desktop application has amassed over [10 million downloads](<https://hub.docker.com/r/guacamole/guacamole>) to date on Docker Hub. \n \n\n\n## Memory Corruption Flaw to RCE\n\n \nThe attacks stem from one of the two possible ways the gateway can be taken over: either by a compromised machine inside the corporate network that leverages an incoming benign connection to attack the Apache gateway or a rogue employee who uses a computer inside the network to hijack the gateway. \n \nCheck Point team said it identified the flaws as part of Guacamole's recent security audit, which also added support for FreeRDP 2.0.0 towards the end of January 2020. \n \nIt's worth pointing out that [FreeRDP](<https://www.freerdp.com/>), an open-source RDP client, had its own fair share of [remote code execution flaws](<https://research.checkpoint.com/2019/reverse-rdp-attack-code-execution-on-rdp-clients/>), which were disclosed early last year following the release of 2.0.0-rc4. \n \n\n\n \n\"Knowing that vulnerabilities in FreeRDP were only patched on version 2.0.0-rc4, this means that all versions that were released before January 2020 are using vulnerable versions of FreeRDP,\" Check Point researcher Eyal Itkin said. \n \nHere's a quick summary of all flaws discovered: \n \n\n\n * **Information disclosure vulnerabilities (CVE-2020-9497) \u2014** Two separate flaws were identified in the developers' custom implementation of an RDP channel used to handle audio packets from the server (\"rdpsnd\"). The first of the two flaws permits an attacker to craft a malicious rdpsnd message that could lead to an out-of-bounds read similar to [Heartbleed](<https://thehackernews.com/2014/04/heartbleed-bug-explained-10-most.html>). A second bug in the same channel is a data leak that transmits the out-of-bounds data to a connected client.\n \nThe third information disclosure bug is a variant of the aforementioned flaw that resides in a different channel called \"guacai,\" responsible for audio input and is disabled by default. \n \n\n\n * **Out-of-bounds reads in FreeRDP \u2014** Looking to find a memory corruption vulnerability that could be leveraged to exploit the above data leaks, Check Point said they uncovered two additional instances of out-of-bounds reads that take advantage of a design flaw in FreeRDP.\n \n\n\n * **Memory Corruption flaw in Guacamole (CVE-2020-9498) \u2014** This flaw, present in an abstraction layer (\"guac_common_svc.c\") laid over rdpsnd and rdpdr (Device Redirection) channels, arises from a memory safety violation, resulting in a [dangling pointer](<https://en.wikipedia.org/wiki/Dangling_pointer>) that allows an attacker to achieve code execution by combining the two flaws.\n \nUse-after-free vulnerabilities are memory corruption bugs that typically occur when an application tries to use memory space that is no longer assigned to it. This usually causes a program to crash but can also sometimes lead to other unintended consequences, such as code execution that can be exploited by malicious actors. \n\n\n \nBy using vulnerabilities CVE-2020-9497 and CVE-2020-9498, \"a malicious corporate computer (our RDP 'server') can take control of the [guacd process](<https://guacamole.apache.org/doc/gug/guacamole-architecture.html#guacd>) when a remote user requests to connect to his (infected) computer,\" Itkin said. \n \n\n\n## A Case of Privilege Escalation\n\n \nMore concerning, Check Point found it was possible to seize control of all of the connections in the gateway from only a single guacd process, which runs on the Guacamole server to handle remote connections to the corporate network. \n \nIn addition to controlling the gateway, this privilege escalation allows an attacker to eavesdrop on all incoming sessions, record the credentials used, and even start new sessions to control the rest of the organization's computers. \n \n\"While the transition to remote work from home is a necessity in these tough times of the COVID-19 pandemic, we can't neglect the security implications of such remote connections,\" Itkin concluded. \"When most of the organization is working remotely, this foothold is equivalent to gaining full control over the entire organizational network.\" \n \n\"We strongly recommend that everyone makes sure that all servers are up-to-date, and that whatever technology used for working from home is fully patched to block such attack attempts.\"\n", "published": "2020-07-02T09:59:00", "modified": "2020-07-08T07:01:05", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "href": "https://thehackernews.com/2020/07/apache-guacamole-hacking.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2020-9497", "CVE-2020-9498"], "lastseen": "2020-07-08T08:26:37", "history": [{"bulletin": {"id": "THN:77F832E3FCBED966C47D5256B7841AFD", "hash": "53e60361d936f8823507113ad4e339e5", "type": "thn", "bulletinFamily": "info", "title": "Critical Apache Guacamole Flaws Put Remote Desktops at Risk of Hacking", "description": "[](<https://thehackernews.com/images/-iDfhKNfuyPU/Xv2hDZP_8kI/AAAAAAAAAiM/CpsGHGEN1PAskWsOIa-vaJhgwSK6NyFVQCLcBGAsYHQ/s728-e100/Apache-Guacamole-Hacking.jpg>)\n\nA new research has uncovered multiple critical [reverse RDP vulnerabilities](<https://thehackernews.com/2020/05/reverse-rdp-attack-patch.html>) in **Apache Guacamole**, a popular remote desktop application used by system administrators to access and manage Windows and Linux machines remotely. \n \nThe reported flaws could potentially let bad actors achieve full control over the Guacamole server, intercept, and control all other connected sessions. \n \nAccording to a [report](<https://blog.checkpoint.com/2020/07/02/hole-y-guacamole-fixing-critical-vulnerabilities-in-apaches-popular-remote-desktop-gateway/>) published by Check Point Research and shared with The Hacker News, the flaws grant \"an attacker, who has already successfully compromised a computer inside the organization, to launch an attack on the Guacamole gateway when an unsuspecting worker tries to connect to an infected machine.\" \n \nAfter the cybersecurity firm responsibly disclosed its findings to Apache, the maintainers of Guacamole, on March 31, the company released a [patched version](<https://guacamole.apache.org/releases/1.2.0/>) in June 2020. \n\n\n \n[Apache Guacamole](<https://guacamole.apache.org/>) is a popular open-source clientless remote desktop gateways solution. When installed on a company's server, it allows users to remotely connect to their desktops simply using a web browser post an authentication process. \n \nNotably, Apache Guacamole remote desktop application has amassed over [10 million downloads](<https://hub.docker.com/r/guacamole/guacamole>) to date on Docker Hub. \n \n\n\n## Memory Corruption Flaw to RCE\n\n \nThe attacks stem one of the two possible ways the gateway can be taken over: either by a compromised machine inside the corporate network that leverages an incoming benign connection to attack the Apache gateway or a rogue employee who uses a computer inside the network to hijack the gateway. \n \nCheck Point team said it identified the flaws as part of Guacamole's recent security audit, which also added support for FreeRDP 2.0.0 towards the end of January 2020. \n \nIt's worth pointing out that [FreeRDP](<https://www.freerdp.com/>), an open-source RDP client, had its own fair share of [remote code execution flaws](<https://research.checkpoint.com/2019/reverse-rdp-attack-code-execution-on-rdp-clients/>), which were disclosed early last year following the release of 2.0.0-rc4. \n \n\n\n \n\"Knowing that vulnerabilities in FreeRDP were only patched on version 2.0.0-rc4, this means that all versions that were released before January 2020 are using vulnerable versions of FreeRDP,\" Check Point researcher Eyal Itkin said. \n \nHere's a quick summary of all flaws discovered: \n \n\n\n * **Information disclosure vulnerabilities (CVE-2020-9497) \u2014** Two separate flaws were identified in the developers' custom implementation of an RDP channel used to handle audio packets from the server (\"rdpsnd\"). The first of the two flaws permits an attacker to craft a malicious rdpsnd message that could lead to an out-of-bounds read similar to [Heartbleed](<https://thehackernews.com/2014/04/heartbleed-bug-explained-10-most.html>). A second bug in the same channel is a data leak that transmits the out-of-bounds data to a connected client.\n \nThe third information disclosure bug is a variant of the aforementioned flaw that resides in a different channel called \"guacai,\" responsible for audio input and is disabled by default. \n \n\n\n * **Out-of-bounds reads in FreeRDP \u2014** Looking to find a memory corruption vulnerability that could be leveraged to exploit the above data leaks, Check Point said they uncovered two additional instances of out-of-bounds reads that take advantage of a design flaw in FreeRDP.\n \n\n\n * **Memory Corruption flaw in Guacamole (CVE-2020-9498) \u2014** This flaw, present in an abstraction layer (\"guac_common_svc.c\") laid over rdpsnd and rdpdr (Device Redirection) channels, arises from a memory safety violation, resulting in a [dangling pointer](<https://en.wikipedia.org/wiki/Dangling_pointer>) that allows an attacker to achieve code execution by combining the two flaws.\n \nUse-after-free vulnerabilities are memory corruption bugs that typically occur when an application tries to use memory space that is no longer assigned to it. This usually causes a program to crash but can also sometimes lead to other unintended consequences, such as code execution that can be exploited by malicious actors. \n\n\n \nBy using vulnerabilities CVE-2020-9497 and CVE-2020-9498, \"a malicious corporate computer (our RDP 'server') can take control of the [guacd process](<https://guacamole.apache.org/doc/gug/guacamole-architecture.html#guacd>) when a remote user requests to connect to his (infected) computer,\" Itkin said. \n \n\n\n## A Case of Privilege Escalation\n\n \nMore concerning, Check Point found it was possible to seize control of all of the connections in the gateway from only a single guacd process, which runs on the Guacamole server to handle remote connections to the corporate network. \n \nIn addition to controlling the gateway, this privilege escalation allows an attacker to eavesdrop on all incoming sessions, record the credentials used, and even start new sessions to control the rest of the organization's computers. \n \n\"While the transition to remote work from home is a necessity in these tough times of the COVID-19 pandemic, we can't neglect the security implications of such remote connections,\" Itkin concluded. \"When most of the organization is working remotely, this foothold is \nequivalent to gaining full control over the entire organizational network.\" \n \n\"We strongly recommend that everyone makes sure that all servers are up-to-date, and that whatever technology used for working from home is fully patched to block such attack attempts.\"\n", "published": "2020-07-02T09:59:00", "modified": "2020-07-02T09:59:35", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://thehackernews.com/2020/07/apache-guacamole-hacking.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2020-9497", "CVE-2020-9498"], "lastseen": "2020-07-02T10:24:18", "history": [], "viewCount": 25, "enchantments": {"dependencies": {"references": [], "modified": "2020-07-02T10:24:18", "rev": 2}, "score": {"value": 1.1, "vector": "NONE", "modified": "2020-07-02T10:24:18", "rev": 2}}, "objectVersion": "1.4"}, "lastseen": "2020-07-02T10:24:18", "differentElements": ["description", "modified"], "edition": 1}, {"bulletin": {"id": "THN:77F832E3FCBED966C47D5256B7841AFD", "hash": "d5e73830d3c1e8e573bf46cd3b22d931", "type": "thn", "bulletinFamily": "info", "title": "Critical Apache Guacamole Flaws Put Remote Desktops at Risk of Hacking", "description": "[](<https://thehackernews.com/images/-iDfhKNfuyPU/Xv2hDZP_8kI/AAAAAAAAAiM/CpsGHGEN1PAskWsOIa-vaJhgwSK6NyFVQCLcBGAsYHQ/s728-e100/Apache-Guacamole-Hacking.jpg>)\n\nA new research has uncovered multiple critical [reverse RDP vulnerabilities](<https://thehackernews.com/2020/05/reverse-rdp-attack-patch.html>) in **Apache Guacamole**, a popular remote desktop application used by system administrators to access and manage Windows and Linux machines remotely. \n \nThe reported flaws could potentially let bad actors achieve full control over the Guacamole server, intercept, and control all other connected sessions. \n \nAccording to a [report](<https://blog.checkpoint.com/2020/07/02/hole-y-guacamole-fixing-critical-vulnerabilities-in-apaches-popular-remote-desktop-gateway/>) published by Check Point Research and shared with The Hacker News, the flaws grant \"an attacker, who has already successfully compromised a computer inside the organization, to launch an attack on the Guacamole gateway when an unsuspecting worker tries to connect to an infected machine.\" \n \nAfter the cybersecurity firm responsibly disclosed its findings to Apache, the maintainers of Guacamole, on March 31, the company released a [patched version](<https://guacamole.apache.org/releases/1.2.0/>) in June 2020. \n\n\n \n[Apache Guacamole](<https://guacamole.apache.org/>) is a popular open-source clientless remote desktop gateways solution. When installed on a company's server, it allows users to remotely connect to their desktops simply using a web browser post an authentication process. \n \nNotably, Apache Guacamole remote desktop application has amassed over [10 million downloads](<https://hub.docker.com/r/guacamole/guacamole>) to date on Docker Hub. \n \n\n\n## Memory Corruption Flaw to RCE\n\n \nThe attacks stem one of the two possible ways the gateway can be taken over: either by a compromised machine inside the corporate network that leverages an incoming benign connection to attack the Apache gateway or a rogue employee who uses a computer inside the network to hijack the gateway. \n \nCheck Point team said it identified the flaws as part of Guacamole's recent security audit, which also added support for FreeRDP 2.0.0 towards the end of January 2020. \n \nIt's worth pointing out that [FreeRDP](<https://www.freerdp.com/>), an open-source RDP client, had its own fair share of [remote code execution flaws](<https://research.checkpoint.com/2019/reverse-rdp-attack-code-execution-on-rdp-clients/>), which were disclosed early last year following the release of 2.0.0-rc4. \n \n\n\n \n\"Knowing that vulnerabilities in FreeRDP were only patched on version 2.0.0-rc4, this means that all versions that were released before January 2020 are using vulnerable versions of FreeRDP,\" Check Point researcher Eyal Itkin said. \n \nHere's a quick summary of all flaws discovered: \n \n\n\n * **Information disclosure vulnerabilities (CVE-2020-9497) \u2014** Two separate flaws were identified in the developers' custom implementation of an RDP channel used to handle audio packets from the server (\"rdpsnd\"). The first of the two flaws permits an attacker to craft a malicious rdpsnd message that could lead to an out-of-bounds read similar to [Heartbleed](<https://thehackernews.com/2014/04/heartbleed-bug-explained-10-most.html>). A second bug in the same channel is a data leak that transmits the out-of-bounds data to a connected client.\n \nThe third information disclosure bug is a variant of the aforementioned flaw that resides in a different channel called \"guacai,\" responsible for audio input and is disabled by default. \n \n\n\n * **Out-of-bounds reads in FreeRDP \u2014** Looking to find a memory corruption vulnerability that could be leveraged to exploit the above data leaks, Check Point said they uncovered two additional instances of out-of-bounds reads that take advantage of a design flaw in FreeRDP.\n \n\n\n * **Memory Corruption flaw in Guacamole (CVE-2020-9498) \u2014** This flaw, present in an abstraction layer (\"guac_common_svc.c\") laid over rdpsnd and rdpdr (Device Redirection) channels, arises from a memory safety violation, resulting in a [dangling pointer](<https://en.wikipedia.org/wiki/Dangling_pointer>) that allows an attacker to achieve code execution by combining the two flaws.\n \nUse-after-free vulnerabilities are memory corruption bugs that typically occur when an application tries to use memory space that is no longer assigned to it. This usually causes a program to crash but can also sometimes lead to other unintended consequences, such as code execution that can be exploited by malicious actors. \n\n\n \nBy using vulnerabilities CVE-2020-9497 and CVE-2020-9498, \"a malicious corporate computer (our RDP 'server') can take control of the [guacd process](<https://guacamole.apache.org/doc/gug/guacamole-architecture.html#guacd>) when a remote user requests to connect to his (infected) computer,\" Itkin said. \n \n\n\n## A Case of Privilege Escalation\n\n \nMore concerning, Check Point found it was possible to seize control of all of the connections in the gateway from only a single guacd process, which runs on the Guacamole server to handle remote connections to the corporate network. \n \nIn addition to controlling the gateway, this privilege escalation allows an attacker to eavesdrop on all incoming sessions, record the credentials used, and even start new sessions to control the rest of the organization's computers. \n \n\"While the transition to remote work from home is a necessity in these tough times of the COVID-19 pandemic, we can't neglect the security implications of such remote connections,\" Itkin concluded. \"When most of the organization is working remotely, this foothold is equivalent to gaining full control over the entire organizational network.\" \n \n\"We strongly recommend that everyone makes sure that all servers are up-to-date, and that whatever technology used for working from home is fully patched to block such attack attempts.\"\n", "published": "2020-07-02T09:59:00", "modified": "2020-07-02T13:31:15", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://thehackernews.com/2020/07/apache-guacamole-hacking.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2020-9497", "CVE-2020-9498"], "lastseen": "2020-07-02T14:24:21", "history": [], "viewCount": 69, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-9497", "CVE-2020-9498"]}, {"type": "threatpost", "idList": ["THREATPOST:B6B17DDF563BDA6C7BB968C7C736774D"]}], "modified": "2020-07-02T14:24:21", "rev": 2}, "score": {"value": 5.6, "vector": "NONE", "modified": "2020-07-02T14:24:21", "rev": 2}}, "objectVersion": "1.4"}, "lastseen": "2020-07-02T14:24:21", "differentElements": ["cvss", "description", "modified"], "edition": 2}], "viewCount": 140, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-9498", "CVE-2020-9497"]}, {"type": "threatpost", "idList": ["THREATPOST:B6B17DDF563BDA6C7BB968C7C736774D"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310144236"]}], "modified": "2020-07-08T08:26:37", "rev": 2}, "score": {"value": 5.8, "vector": "NONE", "modified": "2020-07-08T08:26:37", "rev": 2}, "vulnersScore": 5.8}, "objectVersion": "1.4", "_object_type": "robots.models.thn.ThnBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.thn.ThnBulletin"]}

{"cve": [{"lastseen": "2020-07-23T14:18:29", "bulletinFamily": "NVD", "description": "Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed with the privileges of therunning guacd process.", "modified": "2020-07-21T16:02:00", "id": "CVE-2020-9498", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9498", "published": "2020-07-02T13:15:00", "title": "CVE-2020-9498", "type": "cve", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-23T14:18:29", "bulletinFamily": "NVD", "description": "Apache Guacamole 1.1.0 and older do not properly validate datareceived from RDP servers via static virtual channels. If a userconnects to a malicious or compromised RDP server, specially-craftedPDUs could result in disclosure of information within the memory ofthe guacd process handling the connection.", "modified": "2020-07-21T16:02:00", "id": "CVE-2020-9497", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9497", "published": "2020-07-02T13:15:00", "title": "CVE-2020-9497", "type": "cve", "cvss": {"score": 1.2, "vector": "AV:L/AC:H/Au:N/C:P/I:N/A:N"}}], "threatpost": [{"lastseen": "2020-07-23T21:41:38", "bulletinFamily": "info", "description": "Apache Guacamole, a popular infrastructure for enabling remote working, is vulnerable to a slew of security bugs related to the Remote Desktop Protocol (RDP), researchers have warned. Admins should update their systems to avoid attacks bent on stealing information or remote code-execution.\n\n\u201cOnce in control of the gateway, an attacker can eavesdrop on all incoming sessions, record all the credentials used, and even start new sessions to control the rest of the computers within the organization,\u201d explained Eyal Itkin, researcher from Check Point, [in a posting](<https://research.checkpoint.com/2020/apache-guacamole-rce/>) on Thursday. \u201cWhen most of the organization is [working remotely](<https://threatpost.com/work-from-home-opens-new-remote-insider-threats/156841/>), this foothold is equivalent to gaining full control over the entire organizational network.\u201d\n\nApache Guacamole has more than [10 million Docker downloads](<https://hub.docker.com/r/guacamole/guacamole>) globally, and is also embedded into other products like Jumpserver Fortress, Quali and Fortigate. Guacamole gateways essentially secure and handle connections from users coming from outside the corporate perimeter.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cIn essence, an employee uses a browser to connect to his company\u2019s internet-facing server, goes through an authentication process, and gets access to his corporate computer,\u201d said Itkin. \u201cWhile the employee only uses his browser, the Guacamole server selects one of the supported protocols (RDP, VNC, SSH, etc.) and uses an open-source client to connect to the specific corporate computer. Once connected, the Guacamole server acts as a middle-man that relays the events back and forth while translating them from the chosen protocol to the special \u2018Guacamole Protocol\u2019 and vice versa.\u201d\n\nThe vulnerabilities allow an on-network attacker to compromise a gateway, and then intercept and control all of the sessions that connect to it.\n\n\u201cThis [COVID-19-related] transition from onsite to off-premise work means that IT solutions for remotely connecting to the corporate network are now used more than ever,\u201d Itkin added. \u201cThis also means that any security vulnerability in these solutions will have a much greater impact, as companies rely on this technology to keep their businesses functioning.\u201d\n\nApache Guacamole is vulnerable to several critical bugs inside its own infrastructure, along with other vulnerabilities found in FreeRDP, according to Check Point.\n\n## **Attack Scenarios and Bugs**\n\nThere are two different attack scenarios, the researcher explained: In a reverse attack, a compromised machine inside the corporate network leverages the incoming benign connection to attack the gateway, aiming to take it over. And in the malicious worker scenario, a rogue employee uses a computer inside the network to leverage his hold on both ends of the connection and take control of the gateway.\n\nTo enable either of these, an exploit chain using information-disclosure bugs, a memory-corruption issue and privilege exploitation is necessary \u2013 which Check Point has demonstrated in a video.\n\n\u201c[There is a] high probability that most companies haven\u2019t yet upgraded to the latest versions, and could already be attacked using these known 1-Days,\u201d Itkin warned.\n\nThe flaw tracked as CVE-2020-9497 enables information disclosure.\n\n\u201cTo relay the messages between the RDP connection and the client, the developers implemented their own extension for the default RDP channels,\u201d according to the writeup. \u201cOne such channel is responsible for the audio from the server, hence unsurprisingly called rdpsnd (RDP Sound).\u201d\n\nBy sending a malicious rdpsnd channel message, a malicious RDP server could cause the client to think that the packet contains a huge amount of bytes, which are in fact memory bytes of the client itself, Itkin added: \u201cThis in turn causes the client to send back a response to the server with these bytes, and grant the RDP server a massive, heartbleed-style, information-disclosure primitive.\u201d\n\nAnother information-disclosure bug, also covered under CVE-2020-9497, is similar, but the flaw sends the out-of-bounds data to the connected client, instead of back to the RDP server.\n\n\u201cWe were intrigued to find an additional channel, guacai, responsible for sound messages,\u201d according to Itkin. \u201cThis channel is responsible for the audio input, hence the name guacai. Although vulnerable to roughly the same vulnerability as the previous channel, this channel is disabled by default.\u201d\n\nThe analysis also uncovered CVE-2020-9498, a memory-corruption issue allowing RCE.\n\n\u201cThe RDP protocol exposes different \u2018devices\u2019 as separate \u2018channels,\u2019 one for each device. These include the rdpsnd channel for the sound, cliprdr for the clipboard, and so on,\u201d according to the analysis. \u201cAs an abstraction layer, the channel messages support a fragmentation that allows their messages to be up to 4GB long.\u201d\n\nThe first fragment in any message must contain the CHANNEL_FLAG_FIRST fragment, which allocates the right-sized stream (known as wStream) to accommodate the overall declared length of the total message.\n\n\u201cHowever, what happens if an attacker sends a fragment without this flag? It seems that it is simply appended to the previous leftover stream,\u201d Itkin explained. \u201cAfter a fragmented message finishes the reassembly and goes on to be parsed, it is freed. And that\u2019s it. No one sets the dangling pointer to NULL.\u201d\n\nThis means that a malicious RDP server could send an out-of-order message fragment that uses the previously freed wStream object, effectively creating a use-after-free vulnerability that can in turn be used for arbitrary read and arbitrary write exploits.\n\n\u201cBy using vulnerabilities CVE-2020-9497 and CVE-2020-9498, we managed to implement our arbitrary read and arbitrary write exploit primitives,\u201d Itkin said. \u201cUsing these two powerful primitives, we successfully implemented an RCE exploit in which a malicious corporate computer (our RDP \u2018server\u2019) can take control of the guacd process when a remote user requests to connect to his (infected) computer.\u201d\n\nThat guacd process only handles a single connection and runs with low privileges \u2013 so Check Point looked for a path to privilege escalation that would allow the takeover for the entire gateway.\n\nAfter a client is successfully authenticated, the guacamole-client initiates a Guacamole Protocol session with the guacamole-server to create a matching session for the client. This is done by connecting to the guacamole-server on TCP port 4822 (by default) on which the guacd process is listening. The communication on this port uses no authentication or encryption (SSL could be enabled, but it isn\u2019t the default). After the session is created, the guacamole-client only relays information back and forth between the guacamole-server and the client\u2019s browser.\n\nA vulnerability in the guacd executable allows access to full memory layout \u2013 useful for bypassing Address Space Layout Randomization (ASLR) computer security \u2013 and full memory content.\n\nBy using all of these weaknesses, Itkin said that Check Point researchers were able to take full control of a test Guacamole gateway, intercepting all information that flows through it.\n\nIt\u2019s worth noting that the infrastructure is also vulnerable to existing bugs in FreeRDP, a free implementation of the RDP, released under the Apache license.\n\n\u201cIn our [previous research](<https://research.checkpoint.com/2019/reverse-rdp-attack-code-execution-on-rdp-clients/>)\u2026we found several critical vulnerabilities in this RDP client which exposed it to attack from a malicious RDP \u2018server,'\u201d according to the researcher. \u201cIn other words, a malicious corporate computer can take control of an unsuspecting FreeRDP client that connects to it\u2026.By looking at the released versions of Apache Guacamole, we can see that only version 1.1.0, released at the end of January 2020, added support for the latest FreeRDP version (2.0.0). Knowing that our vulnerabilities in FreeRDP were only patched on version 2.0.0-rc4, this means that all versions that were released before January 2020 are using vulnerable versions of FreeRDP.\u201d\n\nApache fixed all of these issues with the release of version 1.2.02 on June 28.\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a _**[**_FREE webinar_**](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>)**_, \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>)**_ for this Threatpost webinar, sponsored by Valimail._**\n", "modified": "2020-07-02T16:14:46", "published": "2020-07-02T16:14:46", "id": "THREATPOST:B6B17DDF563BDA6C7BB968C7C736774D", "href": "https://threatpost.com/apache-guacamole-control-remote-footprint/157124/", "type": "threatpost", "title": "Apache Guacamole Opens Door for Total Control of Remote Footprint", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-07-23T16:05:39", "bulletinFamily": "scanner", "description": "Apache Guacamole is prone to multiple vulnerabilities.", "modified": "2020-07-15T00:00:00", "published": "2020-07-15T00:00:00", "id": "OPENVAS:1361412562310144236", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310144236", "title": "Apache Guacamole < 1.2.0 Multiple Vulnerabilities", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:apache:guacamole\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.144236\");\n script_version(\"2020-07-15T05:00:50+0000\");\n script_tag(name:\"last_modification\", value:\"2020-07-15 05:00:50 +0000 (Wed, 15 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-15 04:25:21 +0000 (Wed, 15 Jul 2020)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2020-9497\", \"CVE-2020-9498\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Apache Guacamole < 1.2.0 Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_apache_guacamole_http_detect.nasl\");\n script_mandatory_keys(\"apache/guacamole/detected\");\n\n script_tag(name:\"summary\", value:\"Apache Guacamole is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The following vulnerabilities exist:\n\n - Improper input validation of RDP static virtual channels (CVE-2020-9497)\n\n - Dangling pointer in RDP static virtual channel handling (CVE-2020-9498)\");\n\n script_tag(name:\"affected\", value:\"Apache Guacamole version 1.1.0 and prior.\");\n\n script_tag(name:\"solution\", value:\"Update to version 1.2.0 or later.\");\n\n script_xref(name:\"URL\", value:\"https://lists.apache.org/thread.html/r3f071de70ea1facd3601e0fa894e6cadc960627ee7199437b5a56f7f@%3Cannounce.apache.org%3E\");\n script_xref(name:\"URL\", value:\"https://lists.apache.org/thread.html/r26fb170edebff842c74aacdb1333c1338f0e19e5ec7854d72e4680fc@%3Cannounce.apache.org%3E\");\n script_xref(name:\"URL\", value:\"https://research.checkpoint.com/2020/apache-guacamole-rce/\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))\n exit(0);\n\nversion = infos[\"version\"];\nlocation = infos[\"location\"];\n\nif (version_is_less(version: version, test_version: \"1.2.0\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"1.2.0\", install_path: location);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}]}