The Apache Guacamole remote desktop gateway has been identified to contain zero-day vulnerabilities. The identified issues are described as Reverse RDP vulnerabilities which allows criminals to take over the sessions. Identified issues are now tracked in the CVE-2020-9497 advisory.
Zero-Day Vulnerabilities Found in Apache Guacamole Instances: CVE-2020-9497 Advisory Assigned
Apache Guacamole as one of the popular solutions for setting up a clientless remote desktop gateway appears to be impacted by several zero-day critical vulnerabilities. The news came following the disclosure of the bugs and their identifiers. This is a tool that is used to create the necessary connections in order for remote desktop connections to be made. It supports all standard protocols that are used by most client software including VNC, RDP and SSH. By design Guacamole is a HTML5 web application which needs to be deployed on a given machine and the server will then be accessible via a simple browser.
The security issues that are related to Guacamole are contained in two types. The CVE-2020-9497 advisory identifier is assigned to the security bugs. The two categories are the following:
- Zero-Day Critical Reverse RDP Vulnerabilities – This includes an information disclosure bug which sends out out-of-bonds data to the connected clients instead of the servers. This allows the hackers to capture the leaked data which are sent via the network packets. The other vulnerable part appears to be an audio channel that can be accessed by the criminals.
- FreeRPD Issues – It appears that the hackers have also found a way to make certain commands lead to a FreeRDP implementation weakness. The protocol weakness is categorized as a memory corruption
The CVE-2020-9498 advisory has also been assigned related to the Apache Guacamole issues following the reports. After the issues were published and the developers notified Apache released fixes that remedied the weakness. For this reason we urge all users to patch their installations to the latest available versions. The official patched version that followed is labeled as 1.2.0.