Remote code execution and information disclosure vulnerabilities addressed in Apache Guacamole can be highly useful to threat actors targeting enterprises, Check Point security researchers warn.
An open-source remote desktop gateway, Apache Guacamole is an HTML5 web application that can be used on a broad range of devices, straight from the web browser. One of the most prominent remote access tools on the market, it is also embedded in various network accessibility and security solutions.
Guacamole includes support for protocols such as VNC, RDP, and SSH, and allows employees to access corporate computers from remote locations using only the browser. The connection, however, goes through the guacamole-server, which handles communications between the user and the target computer.
While investigating the solution, Check Point’s researchers discovered vulnerabilities that could be exploited via a compromised machine within the enterprise’s environment to take over the gateway and control the communications.
Based on the previous discovery of vulnerabilities in FreeRDP, the security researchers identified two issues in Apache Guacamole iterations that do not implement the available patches for FreeRDP. They also devised an attack that could essentially provide remote code execution capabilities.
Tracked as CVE-2020-9497 and CVE-2020-9498, the flaws are information disclosure (a collection of three bugs) and use-after-free issues, respectively.
By leveraging both vulnerabilities, Check Point’s researchers were able to implement a remote code execution (RCE) exploit allowing for a malicious corporate computer that acts as an RDP server to take control of the guacd process when the user requests to connect to an infected machine.
The researchers, who also published a video demonstrating the attack, were then able to escalate privileges (the guacd process runs with low privileges) to take over the entire gateway. In a real-life attack, that would eventually allow an adversary not only to eavesdrop on all of the connections in the gateway, but also to control the entire network.
“Using Apache Guacamole as our example target, we were able to successfully demonstrate how a compromised computer inside the organization can be used to take control of the gateway that handles all of the remote sessions into the network. Once in control of the gateway, an attacker can eavesdrop on all incoming sessions, record all the credentials used, and even start new sessions to control the rest of the computers within the organization,” Check Point notes.
The vulnerabilities were reported to Apache on March 31, silent patches were pushed in early May, and final patches were released on June 28, in Guacamole version 1.2.0.