Serious Vulnerabilities Identified in Apache Guacamole Remote Access Software
Several vulnerabilities have been identified in the remote access system, Apache Guacamole. Apache Guacamole has been adopted by many companies to allow administrators and employees to access Windows and Linux devices remotely. The system has proven popular during the COVID-19 pandemic for allowing employees to work from home and connect to the corporate network. Apache Guacamole is also embedded into many network accessibility and security products such as Fortress, Quali, and Fortigate and is one of the most prominent tools on the market with more than 10 million Docker downloads.
Apache Guacamole is a clientless solution, meaning remote workers do not need to install any software on their devices. They can simply use a web browser to access their corporate device. System administrators only need to install the software on a server. Depending on how the system is configured, a connection is made using SSH or RDP with Guacamole acting as an intermediary between the browser and the device the user wants to connect to, relaying communications between the two.
Check Point Research evaluated Apache Guacamole and found several reverse RDP vulnerabilities in Apache Guacamole 1.1.0 and earlier versions, and a similar vulnerability in FreeRDP, Apache’s free implementation of RDP. The vulnerabilities could be exploited by remote attackers to achieve code execution, allowing them to hijack servers and intercept sensitive data by eavesdropping on conversations on remote sessions. The researchers note that in a situation where virtually all employees are working remotely, exploitation of these vulnerabilities would be akin to gaining full control of the entire organizational network.
According to Check Point Research, the flaws could be exploited in two ways. If an attacker already has a foothold in the network and has compromised a desktop computer, the vulnerabilities could be exploited to attack the Guacamole gateway when a remote worker attempts to login and access the device. The attacker could then take full control of the gateway and any remote connections. The flaws could also be exploited by a malicious insider to gain access to the computers of other workers in the organziation.
The vulnerabilities could allow Heartbleed-style information disclosure, as was demonstrated by the researchers, and also allow read and write access to the vulnerable server. The researchers chained the vulnerabilities together, elevated privileges to admin, then achieved remote code execution. The vulnerabilities, grouped together under the CVEs CVE-2020-9497 and CVE-2020-9498, were reported to the Apache Software Foundation and patches were released on June 28, 2020.
The researchers also found the vulnerability CVE-2018-8786 in FreeRDP could also be exploited to take control of the gateway. All versions of FreeRDP prior to January 2020 – version 2.0.0-rc4 – are using vulnerable versions of FreeRDP with the CVE-2020-9498 vulnerability.
All organizations that have adopted Apache Guacamole should ensure they have the latest version of Apache Guacamole installed on their servers.