A number of vulnerabilities were discovered in the Apache Guacamole remote access system. Many companies used Apache Guacamole to enable administrators and workers to have remote access to Windows and Linux devices. The system became famous throughout the COVID-19 pandemic for enabling people to work from home and be connected to the company system. Apache Guacamole is embedded in a lot of network access and security solutions like Quali, Fortress, and Fortigate. It is a distinguished tool available with over 10 million Docker downloads.
Apache Guacamole is a clientless service, which means remote employees don’t need any software installed on their devices. A web browser can be used to access their company device. The software will only be installed by system administrators on a server. Depending on the system configuration, a connection is established by using SSH or RDP with Guacamole working as a link to send communications between the web browser and the user’s device.
Check Point Research examined Apache Guacamole and identified a number of reverse RDP vulnerabilities in version 1.1.0 and previous versions, and the same vulnerability in FreeRDP, which is Apache’s free RDP implementation. Remote attackers can exploit the vulnerabilities to gain code execution, enabling them to hijack servers and intercept sensitive information by spying on communications on remote sessions. The researchers observe that in a scenario where all people are working remotely, exploitation of these vulnerabilities would be similar to achieving total control of the whole organizational system.
Check Point Research stated that there are two ways to exploit the vulnerabilities. An attacker who already has a compromised desktop computer and access to the network can exploit the vulnerabilities in the Guacamole gateway as soon as a remote worker tries to sign in and access the gadget. The attacker can control the gateway and its remote networks. A malicious insider can also exploit the vulnerabilities and access the computers of other employees in the network.
The vulnerabilities can permit Heartbleed-style data disclosure and read and write access to the insecure server. The researchers bundled the vulnerabilities, raised privileges to admin, and obtained remote code execution. Check Point Research reported the bundled vulnerabilities CVE-2020-9497 and CVE-2020-9498 to the Apache Software Foundation. and had patches released on June 28, 2020.
The researchers additionally discovered that the vulnerability CVE-2018-8786 present in FreeRDP can be exploited to control the gateway. All FreeRDP versions before January 2020, version 2.0.0-rc4, use vulnerable FreeRDP versions with the CVE-2020-9498 vulnerability.
All companies that have used Apache Guacamole must make sure they have the most recent version of Apache Guacamole set up on their servers.