Several vulnerabilities were identified in the Apache Guacamole remote access system. Lots of companies employed Apache Guacamole to let administrators and employees access Windows and Linux devices remotely. The system became well-known during the COVID-19 crisis for making it possible for people to connect to their company’s system and work from home. Apache Guacamole is integrated into different network access and security solutions for instance Fortress, Quali, and Fortigate. It is a notable tool on the market that has achieved Docker downloads above 10 million.
As a clientless service, Apache Guacamole doesn’t require remote employees to install any application on their devices. Accessing their company device can be done using a web browser. The software program will just be installed on a server by the system administrator. The system configuration determines the established connection by utilizing SSH or RDP as Guacamole functions as a link that sends communications from the web browser to the user’s gadget.
Check Point Research looked at Apache Guacamole and discovered in version 1.1.0 and preceding versions several reverse RDP vulnerabilities. The same vulnerability was also found in Apache’s free RDP implementation. Attackers can remotely take advantage of the vulnerabilities to get code execution, permitting them to hijack servers and get sensitive data through bugging communications having remote sessions. The researchers noted that in case all employees are doing work remotely, exploiting these vulnerabilities could result in having complete control of the entire organizational system.
Check Point Research explained the two ways to take advantage of the vulnerabilities. A hacker who already got access to a compromised desktop PC and the network could take advantage of the vulnerabilities in the Guacamole gateway the moment a remote employee attempts to log in and use the device. The attacker could manipulate the gateway and the remote systems. A malicious insider could furthermore exploit the vulnerabilities and gain access to other employees’ computers in the network.
The vulnerabilities could allow Heartbleed-style information disclosure and the attacker gets read and write access to the weak server. Check Point Research bundled the vulnerabilities, brought up privileges to the administrator, and acquired remote code execution. The researchers made a report of the bundled vulnerabilities, which are CVE-2020-9497 and CVE-2020-9498, to the Apache Software Foundation. The patches were available on June 28, 2020.
The researchers additionally identified the vulnerability CVE-2018-8786 in FreeRDP, which could be taken advantage of to manipulate the gateway. All versions of FreeRDP prior to January 2020, version 2.0.0-rc4, employ FreeRDP versions having the CVE-2020-9498 vulnerability.
All organizations that have employed Apache Guacamole need to ensure that the newest version of Apache Guacamole is installed on their servers.