Critical Apache Guacamole Flaws Put Remote Desktops at Risk of Hacking

2020-07-02T09:59:00

Description

[![Apache Guacamole Hacking](https://thehackernews.com/images/-iDfhKNfuyPU/Xv2hDZP_8kI/AAAAAAAAAiM/CpsGHGEN1PAskWsOIa-vaJhgwSK6NyFVQCLcBGAsYHQ/s728-e100/Apache-Guacamole-Hacking.jpg)](<https://thehackernews.com/images/-iDfhKNfuyPU/Xv2hDZP_8kI/AAAAAAAAAiM/CpsGHGEN1PAskWsOIa-vaJhgwSK6NyFVQCLcBGAsYHQ/s728-e100/Apache-Guacamole-Hacking.jpg>) A new research has uncovered multiple critical [reverse RDP vulnerabilities](<https://thehackernews.com/2020/05/reverse-rdp-attack-patch.html>) in **Apache Guacamole**, a popular remote desktop application used by system administrators to access and manage Windows and Linux machines remotely. The reported flaws could potentially let bad actors achieve full control over the Guacamole server, intercept, and control all other connected sessions. According to a [report](<https://blog.checkpoint.com/2020/07/02/hole-y-guacamole-fixing-critical-vulnerabilities-in-apaches-popular-remote-desktop-gateway/>) published by Check Point Research and shared with The Hacker News, the flaws grant "an attacker, who has already successfully compromised a computer inside the organization, to launch an attack on the Guacamole gateway when an unsuspecting worker tries to connect to an infected machine." After the cybersecurity firm responsibly disclosed its findings to Apache, the maintainers of Guacamole, on March 31, the company released a [patched version](<https://guacamole.apache.org/releases/1.2.0/>) in June 2020. [Apache Guacamole](<https://guacamole.apache.org/>) is a popular open-source clientless remote desktop gateways solution. When installed on a company's server, it allows users to remotely connect to their desktops simply using a web browser post an authentication process. Notably, Apache Guacamole remote desktop application has amassed over [10 million downloads](<https://hub.docker.com/r/guacamole/guacamole>) to date on Docker Hub. ## Memory Corruption Flaw to RCE The attacks stem from one of the two possible ways the gateway can be taken over: either by a compromised machine inside the corporate network that leverages an incoming benign connection to attack the Apache gateway or a rogue employee who uses a computer inside the network to hijack the gateway. Check Point team said it identified the flaws as part of Guacamole's recent security audit, which also added support for FreeRDP 2.0.0 towards the end of January 2020. It's worth pointing out that [FreeRDP](<https://www.freerdp.com/>), an open-source RDP client, had its own fair share of [remote code execution flaws](<https://research.checkpoint.com/2019/reverse-rdp-attack-code-execution-on-rdp-clients/>), which were disclosed early last year following the release of 2.0.0-rc4. "Knowing that vulnerabilities in FreeRDP were only patched on version 2.0.0-rc4, this means that all versions that were released before January 2020 are using vulnerable versions of FreeRDP," Check Point researcher Eyal Itkin said. Here's a quick summary of all flaws discovered: * **Information disclosure vulnerabilities (CVE-2020-9497) —** Two separate flaws were identified in the developers' custom implementation of an RDP channel used to handle audio packets from the server ("rdpsnd"). The first of the two flaws permits an attacker to craft a malicious rdpsnd message that could lead to an out-of-bounds read similar to [Heartbleed](<https://thehackernews.com/2014/04/heartbleed-bug-explained-10-most.html>). A second bug in the same channel is a data leak that transmits the out-of-bounds data to a connected client. The third information disclosure bug is a variant of the aforementioned flaw that resides in a different channel called "guacai," responsible for audio input and is disabled by default. * **Out-of-bounds reads in FreeRDP —** Looking to find a memory corruption vulnerability that could be leveraged to exploit the above data leaks, Check Point said they uncovered two additional instances of out-of-bounds reads that take advantage of a design flaw in FreeRDP. * **Memory Corruption flaw in Guacamole (CVE-2020-9498) —** This flaw, present in an abstraction layer ("guac_common_svc.c") laid over rdpsnd and rdpdr (Device Redirection) channels, arises from a memory safety violation, resulting in a [dangling pointer](<https://en.wikipedia.org/wiki/Dangling_pointer>) that allows an attacker to achieve code execution by combining the two flaws. Use-after-free vulnerabilities are memory corruption bugs that typically occur when an application tries to use memory space that is no longer assigned to it. This usually causes a program to crash but can also sometimes lead to other unintended consequences, such as code execution that can be exploited by malicious actors. By using vulnerabilities CVE-2020-9497 and CVE-2020-9498, "a malicious corporate computer (our RDP 'server') can take control of the [guacd process](<https://guacamole.apache.org/doc/gug/guacamole-architecture.html#guacd>) when a remote user requests to connect to his (infected) computer," Itkin said. ## A Case of Privilege Escalation More concerning, Check Point found it was possible to seize control of all of the connections in the gateway from only a single guacd process, which runs on the Guacamole server to handle remote connections to the corporate network. In addition to controlling the gateway, this privilege escalation allows an attacker to eavesdrop on all incoming sessions, record the credentials used, and even start new sessions to control the rest of the organization's computers. "While the transition to remote work from home is a necessity in these tough times of the COVID-19 pandemic, we can't neglect the security implications of such remote connections," Itkin concluded. "When most of the organization is working remotely, this foothold is equivalent to gaining full control over the entire organizational network." "We strongly recommend that everyone makes sure that all servers are up-to-date, and that whatever technology used for working from home is fully patched to block such attack attempts."

{"id": "THN:77F832E3FCBED966C47D5256B7841AFD", "vendorId": null, "type": "thn", "bulletinFamily": "info", "title": "Critical Apache Guacamole Flaws Put Remote Desktops at Risk of Hacking", "description": "[![Apache Guacamole Hacking](https://thehackernews.com/images/-iDfhKNfuyPU/Xv2hDZP_8kI/AAAAAAAAAiM/CpsGHGEN1PAskWsOIa-vaJhgwSK6NyFVQCLcBGAsYHQ/s728-e100/Apache-Guacamole-Hacking.jpg)](<https://thehackernews.com/images/-iDfhKNfuyPU/Xv2hDZP_8kI/AAAAAAAAAiM/CpsGHGEN1PAskWsOIa-vaJhgwSK6NyFVQCLcBGAsYHQ/s728-e100/Apache-Guacamole-Hacking.jpg>)\n\nA new research has uncovered multiple critical [reverse RDP vulnerabilities](<https://thehackernews.com/2020/05/reverse-rdp-attack-patch.html>) in **Apache Guacamole**, a popular remote desktop application used by system administrators to access and manage Windows and Linux machines remotely. \n \nThe reported flaws could potentially let bad actors achieve full control over the Guacamole server, intercept, and control all other connected sessions. \n \nAccording to a [report](<https://blog.checkpoint.com/2020/07/02/hole-y-guacamole-fixing-critical-vulnerabilities-in-apaches-popular-remote-desktop-gateway/>) published by Check Point Research and shared with The Hacker News, the flaws grant \"an attacker, who has already successfully compromised a computer inside the organization, to launch an attack on the Guacamole gateway when an unsuspecting worker tries to connect to an infected machine.\" \n \nAfter the cybersecurity firm responsibly disclosed its findings to Apache, the maintainers of Guacamole, on March 31, the company released a [patched version](<https://guacamole.apache.org/releases/1.2.0/>) in June 2020. \n \n[Apache Guacamole](<https://guacamole.apache.org/>) is a popular open-source clientless remote desktop gateways solution. When installed on a company's server, it allows users to remotely connect to their desktops simply using a web browser post an authentication process. \n \nNotably, Apache Guacamole remote desktop application has amassed over [10 million downloads](<https://hub.docker.com/r/guacamole/guacamole>) to date on Docker Hub. \n \n\n\n## Memory Corruption Flaw to RCE\n\n \nThe attacks stem from one of the two possible ways the gateway can be taken over: either by a compromised machine inside the corporate network that leverages an incoming benign connection to attack the Apache gateway or a rogue employee who uses a computer inside the network to hijack the gateway. \n \nCheck Point team said it identified the flaws as part of Guacamole's recent security audit, which also added support for FreeRDP 2.0.0 towards the end of January 2020. \n \nIt's worth pointing out that [FreeRDP](<https://www.freerdp.com/>), an open-source RDP client, had its own fair share of [remote code execution flaws](<https://research.checkpoint.com/2019/reverse-rdp-attack-code-execution-on-rdp-clients/>), which were disclosed early last year following the release of 2.0.0-rc4. \n \n\n\n \n\"Knowing that vulnerabilities in FreeRDP were only patched on version 2.0.0-rc4, this means that all versions that were released before January 2020 are using vulnerable versions of FreeRDP,\" Check Point researcher Eyal Itkin said. \n \nHere's a quick summary of all flaws discovered: \n \n\n\n * **Information disclosure vulnerabilities (CVE-2020-9497) \u2014** Two separate flaws were identified in the developers' custom implementation of an RDP channel used to handle audio packets from the server (\"rdpsnd\"). The first of the two flaws permits an attacker to craft a malicious rdpsnd message that could lead to an out-of-bounds read similar to [Heartbleed](<https://thehackernews.com/2014/04/heartbleed-bug-explained-10-most.html>). A second bug in the same channel is a data leak that transmits the out-of-bounds data to a connected client.\n \nThe third information disclosure bug is a variant of the aforementioned flaw that resides in a different channel called \"guacai,\" responsible for audio input and is disabled by default. \n \n\n\n * **Out-of-bounds reads in FreeRDP \u2014** Looking to find a memory corruption vulnerability that could be leveraged to exploit the above data leaks, Check Point said they uncovered two additional instances of out-of-bounds reads that take advantage of a design flaw in FreeRDP.\n \n\n\n * **Memory Corruption flaw in Guacamole (CVE-2020-9498) \u2014** This flaw, present in an abstraction layer (\"guac_common_svc.c\") laid over rdpsnd and rdpdr (Device Redirection) channels, arises from a memory safety violation, resulting in a [dangling pointer](<https://en.wikipedia.org/wiki/Dangling_pointer>) that allows an attacker to achieve code execution by combining the two flaws.\n \nUse-after-free vulnerabilities are memory corruption bugs that typically occur when an application tries to use memory space that is no longer assigned to it. This usually causes a program to crash but can also sometimes lead to other unintended consequences, such as code execution that can be exploited by malicious actors. \n \nBy using vulnerabilities CVE-2020-9497 and CVE-2020-9498, \"a malicious corporate computer (our RDP 'server') can take control of the [guacd process](<https://guacamole.apache.org/doc/gug/guacamole-architecture.html#guacd>) when a remote user requests to connect to his (infected) computer,\" Itkin said. \n \n\n\n## A Case of Privilege Escalation\n\n \nMore concerning, Check Point found it was possible to seize control of all of the connections in the gateway from only a single guacd process, which runs on the Guacamole server to handle remote connections to the corporate network. \n \nIn addition to controlling the gateway, this privilege escalation allows an attacker to eavesdrop on all incoming sessions, record the credentials used, and even start new sessions to control the rest of the organization's computers. \n \n\"While the transition to remote work from home is a necessity in these tough times of the COVID-19 pandemic, we can't neglect the security implications of such remote connections,\" Itkin concluded. \"When most of the organization is working remotely, this foothold is equivalent to gaining full control over the entire organizational network.\" \n \n\"We strongly recommend that everyone makes sure that all servers are up-to-date, and that whatever technology used for working from home is fully patched to block such attack attempts.\"\n", "published": "2020-07-02T09:59:00", "modified": "2020-07-08T07:01:05", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "accessVector": "LOCAL", "accessComplexity": "HIGH", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 6.2}, "severity": "MEDIUM", "exploitabilityScore": 1.9, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 0.8, "impactScore": 5.9}, "href": "https://thehackernews.com/2020/07/apache-guacamole-hacking.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2020-9497", "CVE-2020-9498"], "immutableFields": [], "lastseen": "2022-05-09T12:40:16", "viewCount": 160, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-9497", "CVE-2020-9498"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2435-1:F95A6", "DEBIAN:DLA-2435-1:FB959"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-9497", "DEBIANCVE:CVE-2020-9498"]}, {"type": "fedora", "idList": ["FEDORA:5F13F304C562", "FEDORA:ABF6F304C2D7"]}, {"type": "mageia", "idList": ["MGASA-2021-0272"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-2435.NASL", "FEDORA_2020-640645E518.NASL", "FEDORA_2020-BFDE0AB889.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310144236"]}, {"type": "osv", "idList": ["OSV:DLA-2435-1"]}, {"type": "threatpost", "idList": ["THREATPOST:B6B17DDF563BDA6C7BB968C7C736774D"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-9497", "UB:CVE-2020-9498"]}, {"type": "veracode", "idList": ["VERACODE:25812"]}]}, "score": {"value": 1.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2020-9497", "CVE-2020-9498"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2435-1:FB959"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-9497", "DEBIANCVE:CVE-2020-9498"]}, {"type": "fedora", "idList": ["FEDORA:5F13F304C562", "FEDORA:ABF6F304C2D7"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-2435.NASL", "FEDORA_2020-640645E518.NASL", "FEDORA_2020-BFDE0AB889.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310144236"]}, {"type": "threatpost", "idList": ["THREATPOST:B6B17DDF563BDA6C7BB968C7C736774D"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-9497", "UB:CVE-2020-9498"]}]}, "exploitation": null, "vulnersScore": 1.1}, "_state": {"dependencies": 1660004461, "score": 1659879986}, "_internal": {"score_hash": "b3703fe980abdcf371a9c6dce9e8da9f"}}

{"fedora": [{"lastseen": "2021-07-28T14:46:52", "description": "Guacamole is an HTML5 remote desktop gateway. Guacamole provides access to desktop environments using remote desktop prot ocols like VNC and RDP. A centralized server acts as a tunnel and proxy, allowing access to multiple desktops through a web browser. No browser plugins are needed, and no client software needs to be installed . The client requires nothing more than a web browser supporting HTML5 and AJAX. The main web application is provided by the \"guacamole-client\" package. ", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 6.7, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-04T01:07:50", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: guacamole-server-1.2.0-3.fc33", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 1.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.2, "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9497", "CVE-2020-9498"], "modified": "2021-01-04T01:07:50", "id": "FEDORA:5F13F304C562", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WNS7UHBOFV6JHWH5XOEZTE3BREGRSSQ3/", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:46:52", "description": "Guacamole is an HTML5 remote desktop gateway. Guacamole provides access to desktop environments using remote desktop prot ocols like VNC and RDP. A centralized server acts as a tunnel and proxy, allowing access to multiple desktops through a web browser. No browser plugins are needed, and no client software needs to be installed . The client requires nothing more than a web browser supporting HTML5 and AJAX. The main web application is provided by the \"guacamole-client\" package. ", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 6.7, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-04T01:18:06", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: guacamole-server-1.2.0-3.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 1.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.2, "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9497", "CVE-2020-9498"], "modified": "2021-01-04T01:18:06", "id": "FEDORA:ABF6F304C2D7", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TVV5K2X4EXSAVUUL7IJ3MUJ3ADWMVSBM/", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2021-10-22T11:44:37", "description": "- -------------------------------------------------------------------------\nDebian LTS Advisory DLA-2435-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Markus Koschany\nNovember 06, 2020 https://wiki.debian.org/LTS\n- -------------------------------------------------------------------------\n\nPackage : guacamole-server\nVersion : 0.9.9-2+deb9u1\nCVE ID : CVE-2020-9497 CVE-2020-9498\nDebian Bug : 964195\n\nThe server component of Apache Guacamole, a remote desktop gateway,\ndid not properly validate data received from RDP servers. This could\nresult\nin information disclosure or even the execution of arbitrary code.\n\nCVE-2020-9497\n\n Apache Guacamole does not properly validate data received from RDP\n servers via static virtual channels. If a user connects to a\n malicious or compromised RDP server, specially-crafted PDUs could\n result in disclosure of information within the memory of the guacd\n process handling the connection.\n\n\nCVE-2020-9498\n\n Apache Guacamole may mishandle pointers involved in processing data\n received via RDP static virtual channels. If a user connects to a\n malicious or compromised RDP server, a series of specially-crafted\n PDUs could result in memory corruption, possibly allowing arbitrary\n code to be executed with the privileges of the running guacd\n process.\n\nFor Debian 9 stretch, these problems have been fixed in version\n0.9.9-2+deb9u1.\n\nWe recommend that you upgrade your guacamole-server packages.\n\nFor the detailed security status of guacamole-server please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/guacamole-server\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 6.7, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-11-06T22:52:00", "type": "debian", "title": "[SECURITY] [DLA 2435-1] guacamole-server security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 1.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.2, "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9497", "CVE-2020-9498"], "modified": "2020-11-06T22:52:00", "id": "DEBIAN:DLA-2435-1:F95A6", "href": "https://lists.debian.org/debian-lts-announce/2020/11/msg00010.html", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-05T03:02:32", "description": "- -------------------------------------------------------------------------\nDebian LTS Advisory DLA-2435-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Markus Koschany\nNovember 06, 2020 https://wiki.debian.org/LTS\n- -------------------------------------------------------------------------\n\nPackage : guacamole-server\nVersion : 0.9.9-2+deb9u1\nCVE ID : CVE-2020-9497 CVE-2020-9498\nDebian Bug : 964195\n\nThe server component of Apache Guacamole, a remote desktop gateway,\ndid not properly validate data received from RDP servers. This could\nresult\nin information disclosure or even the execution of arbitrary code.\n\nCVE-2020-9497\n\n Apache Guacamole does not properly validate data received from RDP\n servers via static virtual channels. If a user connects to a\n malicious or compromised RDP server, specially-crafted PDUs could\n result in disclosure of information within the memory of the guacd\n process handling the connection.\n\n\nCVE-2020-9498\n\n Apache Guacamole may mishandle pointers involved in processing data\n received via RDP static virtual channels. If a user connects to a\n malicious or compromised RDP server, a series of specially-crafted\n PDUs could result in memory corruption, possibly allowing arbitrary\n code to be executed with the privileges of the running guacd\n process.\n\nFor Debian 9 stretch, these problems have been fixed in version\n0.9.9-2+deb9u1.\n\nWe recommend that you upgrade your guacamole-server packages.\n\nFor the detailed security status of guacamole-server please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/guacamole-server\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 6.7, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-11-06T22:52:00", "type": "debian", "title": "[SECURITY] [DLA 2435-1] guacamole-server security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 1.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.2, "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9497", "CVE-2020-9498"], "modified": "2020-11-06T22:52:00", "id": "DEBIAN:DLA-2435-1:FB959", "href": "https://lists.debian.org/debian-lts-announce/2020/11/msg00010.html", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}], "osv": [{"lastseen": "2022-08-05T05:19:00", "description": "\nThe server component of Apache Guacamole, a remote desktop gateway,\ndid not properly validate data received from RDP servers. This could\nresult\nin information disclosure or even the execution of arbitrary code.\n\n\n* [CVE-2020-9497](https://security-tracker.debian.org/tracker/CVE-2020-9497)\nApache Guacamole does not properly validate data received from RDP\n servers via static virtual channels. If a user connects to a\n malicious or compromised RDP server, specially-crafted PDUs could\n result in disclosure of information within the memory of the guacd\n process handling the connection.\n* [CVE-2020-9498](https://security-tracker.debian.org/tracker/CVE-2020-9498)\nApache Guacamole may mishandle pointers involved in processing data\n received via RDP static virtual channels. If a user connects to a\n malicious or compromised RDP server, a series of specially-crafted\n PDUs could result in memory corruption, possibly allowing arbitrary\n code to be executed with the privileges of the running guacd\n process.\n\n\nFor Debian 9 stretch, these problems have been fixed in version\n0.9.9-2+deb9u1.\n\n\nWe recommend that you upgrade your guacamole-server packages.\n\n\nFor the detailed security status of guacamole-server please refer to\nits security tracker page at:\n<https://security-tracker.debian.org/tracker/guacamole-server>\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "edition": 1, "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.7, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-11-06T00:00:00", "type": "osv", "title": "guacamole-server - security update", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 1.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.2, "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9498", "CVE-2020-9497"], "modified": "2022-08-05T05:18:56", "id": "OSV:DLA-2435-1", "href": "https://osv.dev/vulnerability/DLA-2435-1", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2022-06-23T15:10:32", "description": "The server component of Apache Guacamole, a remote desktop gateway, did not properly validate data received from RDP servers. This could result in information disclosure or even the execution of arbitrary code.\n\nCVE-2020-9497\n\nApache Guacamole does not properly validate data received from RDP servers via static virtual channels. If a user connects to a malicious or compromised RDP server, specially crafted PDUs could result in disclosure of information within the memory of the guacd process handling the connection.\n\nCVE-2020-9498\n\nApache Guacamole may mishandle pointers involved in processing data received via RDP static virtual channels. If a user connects to a malicious or compromised RDP server, a series of specially crafted PDUs could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process.\n\nFor Debian 9 stretch, these problems have been fixed in version 0.9.9-2+deb9u1.\n\nWe recommend that you upgrade your guacamole-server packages.\n\nFor the detailed security status of guacamole-server please refer to its security tracker page at:\nhttps://security-tracker.debian.org/tracker/guacamole-server\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 6.7, "vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-11-09T00:00:00", "type": "nessus", "title": "Debian DLA-2435-1 : guacamole-server security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-9497", "CVE-2020-9498"], "modified": "2020-11-20T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:guacd", "p-cpe:/a:debian:debian_linux:libguac-client-rdp0", "p-cpe:/a:debian:debian_linux:libguac-client-ssh0", "p-cpe:/a:debian:debian_linux:libguac-client-telnet0", "p-cpe:/a:debian:debian_linux:libguac-client-vnc0", "p-cpe:/a:debian:debian_linux:libguac-dev", "p-cpe:/a:debian:debian_linux:libguac11", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2435.NASL", "href": "https://www.tenable.com/plugins/nessus/142632", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2435-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(142632);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/20\");\n\n script_cve_id(\"CVE-2020-9497\", \"CVE-2020-9498\");\n\n script_name(english:\"Debian DLA-2435-1 : guacamole-server security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The server component of Apache Guacamole, a remote desktop gateway,\ndid not properly validate data received from RDP servers. This could\nresult in information disclosure or even the execution of arbitrary\ncode.\n\nCVE-2020-9497\n\nApache Guacamole does not properly validate data received from RDP\nservers via static virtual channels. If a user connects to a malicious\nor compromised RDP server, specially crafted PDUs could result in\ndisclosure of information within the memory of the guacd process\nhandling the connection.\n\nCVE-2020-9498\n\nApache Guacamole may mishandle pointers involved in processing data\nreceived via RDP static virtual channels. If a user connects to a\nmalicious or compromised RDP server, a series of specially crafted\nPDUs could result in memory corruption, possibly allowing arbitrary\ncode to be executed with the privileges of the running guacd process.\n\nFor Debian 9 stretch, these problems have been fixed in version\n0.9.9-2+deb9u1.\n\nWe recommend that you upgrade your guacamole-server packages.\n\nFor the detailed security status of guacamole-server please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/guacamole-server\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2020/11/msg00010.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/guacamole-server\"\n );\n # https://security-tracker.debian.org/tracker/source-package/guacamole-server\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7763c5e7\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-9498\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:guacd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libguac-client-rdp0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libguac-client-ssh0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libguac-client-telnet0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libguac-client-vnc0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libguac-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libguac11\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"guacd\", reference:\"0.9.9-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libguac-client-rdp0\", reference:\"0.9.9-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libguac-client-ssh0\", reference:\"0.9.9-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libguac-client-telnet0\", reference:\"0.9.9-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libguac-client-vnc0\", reference:\"0.9.9-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libguac-dev\", reference:\"0.9.9-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libguac11\", reference:\"0.9.9-2+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:40:47", "description": "Updated SPEC file and rebuilt for new dependencies.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.7, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-01-04T00:00:00", "type": "nessus", "title": "Fedora 33 : guacamole-server (2020-640645e518)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 1.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.2, "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9497", "CVE-2020-9498"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:guacamole-server", "cpe:/o:fedoraproject:fedora:33"], "id": "FEDORA_2020-640645E518.NASL", "href": "https://www.tenable.com/plugins/nessus/144701", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-640645e518.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(144701);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2020-9497\", \"CVE-2020-9498\");\n script_xref(name:\"FEDORA\", value:\"2020-640645e518\");\n\n script_name(english:\"Fedora 33 : guacamole-server (2020-640645e518)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Updated SPEC file and rebuilt for new dependencies.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-640645e518\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected guacamole-server package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:guacamole-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:33\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^33([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 33\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC33\", reference:\"guacamole-server-1.2.0-3.fc33\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"guacamole-server\");\n}\n", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:37:28", "description": "Updated SPEC file and rebuilt for new dependencies.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.7, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-01-04T00:00:00", "type": "nessus", "title": "Fedora 32 : guacamole-server (2020-bfde0ab889)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 1.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.2, "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9497", "CVE-2020-9498"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:guacamole-server", "cpe:/o:fedoraproject:fedora:32"], "id": "FEDORA_2020-BFDE0AB889.NASL", "href": "https://www.tenable.com/plugins/nessus/144652", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-bfde0ab889.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(144652);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2020-9497\", \"CVE-2020-9498\");\n script_xref(name:\"FEDORA\", value:\"2020-bfde0ab889\");\n\n script_name(english:\"Fedora 32 : guacamole-server (2020-bfde0ab889)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Updated SPEC file and rebuilt for new dependencies.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-bfde0ab889\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected guacamole-server package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:guacamole-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:32\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^32([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 32\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC32\", reference:\"guacamole-server-1.2.0-3.fc32\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"guacamole-server\");\n}\n", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-07-23T16:05:39", "description": "Apache Guacamole is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2020-07-15T00:00:00", "type": "openvas", "title": "Apache Guacamole < 1.2.0 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-9498", "CVE-2020-9497"], "modified": "2020-07-15T00:00:00", "id": "OPENVAS:1361412562310144236", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310144236", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:apache:guacamole\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.144236\");\n script_version(\"2020-07-15T05:00:50+0000\");\n script_tag(name:\"last_modification\", value:\"2020-07-15 05:00:50 +0000 (Wed, 15 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-15 04:25:21 +0000 (Wed, 15 Jul 2020)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2020-9497\", \"CVE-2020-9498\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Apache Guacamole < 1.2.0 Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_apache_guacamole_http_detect.nasl\");\n script_mandatory_keys(\"apache/guacamole/detected\");\n\n script_tag(name:\"summary\", value:\"Apache Guacamole is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The following vulnerabilities exist:\n\n - Improper input validation of RDP static virtual channels (CVE-2020-9497)\n\n - Dangling pointer in RDP static virtual channel handling (CVE-2020-9498)\");\n\n script_tag(name:\"affected\", value:\"Apache Guacamole version 1.1.0 and prior.\");\n\n script_tag(name:\"solution\", value:\"Update to version 1.2.0 or later.\");\n\n script_xref(name:\"URL\", value:\"https://lists.apache.org/thread.html/r3f071de70ea1facd3601e0fa894e6cadc960627ee7199437b5a56f7f@%3Cannounce.apache.org%3E\");\n script_xref(name:\"URL\", value:\"https://lists.apache.org/thread.html/r26fb170edebff842c74aacdb1333c1338f0e19e5ec7854d72e4680fc@%3Cannounce.apache.org%3E\");\n script_xref(name:\"URL\", value:\"https://research.checkpoint.com/2020/apache-guacamole-rce/\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))\n exit(0);\n\nversion = infos[\"version\"];\nlocation = infos[\"location\"];\n\nif (version_is_less(version: version, test_version: \"1.2.0\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"1.2.0\", install_path: location);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-10-17T22:24:42", "description": "Apache Guacamole, a popular infrastructure for enabling remote working, is vulnerable to a slew of security bugs related to the Remote Desktop Protocol (RDP), researchers have warned. Admins should update their systems to avoid attacks bent on stealing information or remote code-execution.\n\n\u201cOnce in control of the gateway, an attacker can eavesdrop on all incoming sessions, record all the credentials used, and even start new sessions to control the rest of the computers within the organization,\u201d explained Eyal Itkin, researcher from Check Point, [in a posting](<https://research.checkpoint.com/2020/apache-guacamole-rce/>) on Thursday. \u201cWhen most of the organization is [working remotely](<https://threatpost.com/work-from-home-opens-new-remote-insider-threats/156841/>), this foothold is equivalent to gaining full control over the entire organizational network.\u201d\n\nApache Guacamole has more than [10 million Docker downloads](<https://hub.docker.com/r/guacamole/guacamole>) globally, and is also embedded into other products like Jumpserver Fortress, Quali and Fortigate. Guacamole gateways essentially secure and handle connections from users coming from outside the corporate perimeter.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cIn essence, an employee uses a browser to connect to his company\u2019s internet-facing server, goes through an authentication process, and gets access to his corporate computer,\u201d said Itkin. \u201cWhile the employee only uses his browser, the Guacamole server selects one of the supported protocols (RDP, VNC, SSH, etc.) and uses an open-source client to connect to the specific corporate computer. Once connected, the Guacamole server acts as a middle-man that relays the events back and forth while translating them from the chosen protocol to the special \u2018Guacamole Protocol\u2019 and vice versa.\u201d\n\nThe vulnerabilities allow an on-network attacker to compromise a gateway, and then intercept and control all of the sessions that connect to it.\n\n\u201cThis [COVID-19-related] transition from onsite to off-premise work means that IT solutions for remotely connecting to the corporate network are now used more than ever,\u201d Itkin added. \u201cThis also means that any security vulnerability in these solutions will have a much greater impact, as companies rely on this technology to keep their businesses functioning.\u201d\n\nApache Guacamole is vulnerable to several critical bugs inside its own infrastructure, along with other vulnerabilities found in FreeRDP, according to Check Point.\n\n## **Attack Scenarios and Bugs**\n\nThere are two different attack scenarios, the researcher explained: In a reverse attack, a compromised machine inside the corporate network leverages the incoming benign connection to attack the gateway, aiming to take it over. And in the malicious worker scenario, a rogue employee uses a computer inside the network to leverage his hold on both ends of the connection and take control of the gateway.\n\nTo enable either of these, an exploit chain using information-disclosure bugs, a memory-corruption issue and privilege exploitation is necessary \u2013 which Check Point has demonstrated in a video.\n\n\u201c[There is a] high probability that most companies haven\u2019t yet upgraded to the latest versions, and could already be attacked using these known 1-Days,\u201d Itkin warned.\n\nThe flaw tracked as CVE-2020-9497 enables information disclosure.\n\n\u201cTo relay the messages between the RDP connection and the client, the developers implemented their own extension for the default RDP channels,\u201d according to the writeup. \u201cOne such channel is responsible for the audio from the server, hence unsurprisingly called rdpsnd (RDP Sound).\u201d\n\nBy sending a malicious rdpsnd channel message, a malicious RDP server could cause the client to think that the packet contains a huge amount of bytes, which are in fact memory bytes of the client itself, Itkin added: \u201cThis in turn causes the client to send back a response to the server with these bytes, and grant the RDP server a massive, heartbleed-style, information-disclosure primitive.\u201d\n\nAnother information-disclosure bug, also covered under CVE-2020-9497, is similar, but the flaw sends the out-of-bounds data to the connected client, instead of back to the RDP server.\n\n\u201cWe were intrigued to find an additional channel, guacai, responsible for sound messages,\u201d according to Itkin. \u201cThis channel is responsible for the audio input, hence the name guacai. Although vulnerable to roughly the same vulnerability as the previous channel, this channel is disabled by default.\u201d\n\nThe analysis also uncovered CVE-2020-9498, a memory-corruption issue allowing RCE.\n\n\u201cThe RDP protocol exposes different \u2018devices\u2019 as separate \u2018channels,\u2019 one for each device. These include the rdpsnd channel for the sound, cliprdr for the clipboard, and so on,\u201d according to the analysis. \u201cAs an abstraction layer, the channel messages support a fragmentation that allows their messages to be up to 4GB long.\u201d\n\nThe first fragment in any message must contain the CHANNEL_FLAG_FIRST fragment, which allocates the right-sized stream (known as wStream) to accommodate the overall declared length of the total message.\n\n\u201cHowever, what happens if an attacker sends a fragment without this flag? It seems that it is simply appended to the previous leftover stream,\u201d Itkin explained. \u201cAfter a fragmented message finishes the reassembly and goes on to be parsed, it is freed. And that\u2019s it. No one sets the dangling pointer to NULL.\u201d\n\nThis means that a malicious RDP server could send an out-of-order message fragment that uses the previously freed wStream object, effectively creating a use-after-free vulnerability that can in turn be used for arbitrary read and arbitrary write exploits.\n\n\u201cBy using vulnerabilities CVE-2020-9497 and CVE-2020-9498, we managed to implement our arbitrary read and arbitrary write exploit primitives,\u201d Itkin said. \u201cUsing these two powerful primitives, we successfully implemented an RCE exploit in which a malicious corporate computer (our RDP \u2018server\u2019) can take control of the guacd process when a remote user requests to connect to his (infected) computer.\u201d\n\nThat guacd process only handles a single connection and runs with low privileges \u2013 so Check Point looked for a path to privilege escalation that would allow the takeover for the entire gateway.\n\nAfter a client is successfully authenticated, the guacamole-client initiates a Guacamole Protocol session with the guacamole-server to create a matching session for the client. This is done by connecting to the guacamole-server on TCP port 4822 (by default) on which the guacd process is listening. The communication on this port uses no authentication or encryption (SSL could be enabled, but it isn\u2019t the default). After the session is created, the guacamole-client only relays information back and forth between the guacamole-server and the client\u2019s browser.\n\nA vulnerability in the guacd executable allows access to full memory layout \u2013 useful for bypassing Address Space Layout Randomization (ASLR) computer security \u2013 and full memory content.\n\nBy using all of these weaknesses, Itkin said that Check Point researchers were able to take full control of a test Guacamole gateway, intercepting all information that flows through it.\n\nIt\u2019s worth noting that the infrastructure is also vulnerable to existing bugs in FreeRDP, a free implementation of the RDP, released under the Apache license.\n\n\u201cIn our [previous research](<https://research.checkpoint.com/2019/reverse-rdp-attack-code-execution-on-rdp-clients/>)\u2026we found several critical vulnerabilities in this RDP client which exposed it to attack from a malicious RDP \u2018server,'\u201d according to the researcher. \u201cIn other words, a malicious corporate computer can take control of an unsuspecting FreeRDP client that connects to it\u2026.By looking at the released versions of Apache Guacamole, we can see that only version 1.1.0, released at the end of January 2020, added support for the latest FreeRDP version (2.0.0). Knowing that our vulnerabilities in FreeRDP were only patched on version 2.0.0-rc4, this means that all versions that were released before January 2020 are using vulnerable versions of FreeRDP.\u201d\n\nApache fixed all of these issues with the release of version 1.2.02 on June 28.\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a _**[**_FREE webinar_**](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>)**_, \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>)**_ for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-07-02T16:14:46", "type": "threatpost", "title": "Apache Guacamole Opens Door for Total Control of Remote Footprint", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-9497", "CVE-2020-9498"], "modified": "2020-07-02T16:14:46", "id": "THREATPOST:B6B17DDF563BDA6C7BB968C7C736774D", "href": "https://threatpost.com/apache-guacamole-control-remote-footprint/157124/", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}], "mageia": [{"lastseen": "2022-04-18T11:19:35", "description": "Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user's session token. This cookie lacked the \"secure\" flag, which could allow an attacker eavesdropping on the network to intercept the user's session token if unencrypted HTTP requests are made to the same domain (CVE-2018-1340). Apache Guacamole 1.1.0 and older do not properly validate data received from RDP servers via static virtual channels. If a user connects to a malicious or compromised RDP server, specially-crafted PDUs could result in disclosure of information within the memory of the guacd process handling the connection (CVE-2020-9497). Apache Guacamole 1.1.0 and older may mishandle pointers involved in processing data received via RDP static virtual channels. If a user connects to a malicious or compromised RDP server, a series of specially-crafted PDUs could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process (CVE-2020-9498). Apache Guacamole 1.2.0 and older do not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that connection was accessed, even if those users do not otherwise have permission to see other users (CVE-2020-11997). This is an update of guacd to latest version to fix security issues. We also updated util-linux and ossp_uuid to make them co installable as guacd requires ossp_uuid. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-06-23T17:11:28", "type": "mageia", "title": "Updated guacd packages fix security vulnerabilities\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 1.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.2, "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1340", "CVE-2020-11997", "CVE-2020-9497", "CVE-2020-9498"], "modified": "2021-06-23T17:11:09", "id": "MGASA-2021-0272", "href": "https://advisories.mageia.org/MGASA-2021-0272.html", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}], "debiancve": [{"lastseen": "2022-07-04T05:59:27", "description": "Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed with the privileges of therunning guacd process.", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.7, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-07-02T13:15:00", "type": "debiancve", "title": "CVE-2020-9498", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 1.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.2, "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9498"], "modified": "2020-07-02T13:15:00", "id": "DEBIANCVE:CVE-2020-9498", "href": "https://security-tracker.debian.org/tracker/CVE-2020-9498", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-04T05:59:27", "description": "Apache Guacamole 1.1.0 and older do not properly validate datareceived from RDP servers via static virtual channels. If a userconnects to a malicious or compromised RDP server, specially-craftedPDUs could result in disclosure of information within the memory ofthe guacd process handling the connection.", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.4, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2020-07-02T13:15:00", "type": "debiancve", "title": "CVE-2020-9497", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 1.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.2, "vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9497"], "modified": "2020-07-02T13:15:00", "id": "DEBIANCVE:CVE-2020-9497", "href": "https://security-tracker.debian.org/tracker/CVE-2020-9497", "cvss": {"score": 1.2, "vector": "AV:L/AC:H/Au:N/C:P/I:N/A:N"}}], "veracode": [{"lastseen": "2022-07-27T10:18:03", "description": "guacamole is vulnerable to arbitrary code execution. The vulnerability exists due to a memory corruption issue occurs in `guac_rdp_common_svc_handle_open_event()` of `guac-common-svc/guac-common-svc.c`, when a large stream is sent without the `CHANNEL_FLAG_FIRST` flag, causing the FreeRDP stream length to be unverified before reading.\n", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.7, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-07-03T04:52:18", "type": "veracode", "title": "Arbitrary Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 1.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.2, "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9498"], "modified": "2021-03-29T21:00:32", "id": "VERACODE:25812", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-25812/summary", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}], "ubuntucve": [{"lastseen": "2023-01-27T13:41:42", "description": "Apache Guacamole 1.1.0 and older may mishandle pointers involved\ninprocessing data received via RDP static virtual channels. If a\nuserconnects to a malicious or compromised RDP server, a series\nofspecially-crafted PDUs could result in memory corruption,\npossiblyallowing arbitrary code to be executed with the privileges of\ntherunning guacd process.", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.7, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-07-02T00:00:00", "type": "ubuntucve", "title": "CVE-2020-9498", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 1.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.2, "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9498"], "modified": "2020-07-02T00:00:00", "id": "UB:CVE-2020-9498", "href": "https://ubuntu.com/security/CVE-2020-9498", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-27T13:41:43", "description": "Apache Guacamole 1.1.0 and older do not properly validate datareceived from\nRDP servers via static virtual channels. If a userconnects to a malicious\nor compromised RDP server, specially-craftedPDUs could result in disclosure\nof information within the memory ofthe guacd process handling the\nconnection.", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.4, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2020-07-02T00:00:00", "type": "ubuntucve", "title": "CVE-2020-9497", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 1.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.2, "vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9497"], "modified": "2020-07-02T00:00:00", "id": "UB:CVE-2020-9497", "href": "https://ubuntu.com/security/CVE-2020-9497", "cvss": {"score": 1.2, "vector": "AV:L/AC:H/Au:N/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2022-03-23T19:08:01", "description": "Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed with the privileges of therunning guacd process.", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.7, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-07-02T13:15:00", "type": "cve", "title": "CVE-2020-9498", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 1.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.2, "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9498"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:fedoraproject:fedora:33", "cpe:/o:fedoraproject:fedora:32", "cpe:/a:apache:guacamole:1.1.0", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2020-9498", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9498", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:apache:guacamole:1.1.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T19:08:00", "description": "Apache Guacamole 1.1.0 and older do not properly validate datareceived from RDP servers via static virtual channels. If a userconnects to a malicious or compromised RDP server, specially-craftedPDUs could result in disclosure of information within the memory ofthe guacd process handling the connection.", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.4, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2020-07-02T13:15:00", "type": "cve", "title": "CVE-2020-9497", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 1.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.2, "vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9497"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:fedoraproject:fedora:33", "cpe:/o:fedoraproject:fedora:32", "cpe:/a:apache:guacamole:1.1.0", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2020-9497", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9497", "cvss": {"score": 1.2, "vector": "AV:L/AC:H/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:apache:guacamole:1.1.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*"]}]}

Critical Apache Guacamole Flaws Put Remote Desktops at Risk of Hacking

Description

Related