Multiple Flaws in Apache Guacamole Leave Sour Taste for Corporate Networks

  • Check Point warns about an exploit chain leading “full network control” attack against corporate networks.
  • The discovered flaws concern the FreeRDP 2.0.0 and the Apache Guacamole 1.1.0 that is using it.
  • Apache was quick to respond and fix the identified and reported flaws, so users are advised to update immediately.

Check Point researchers have published a report on Apache Guacamole, presenting several critical vulnerabilities that plagued the popular software, leading to catastrophic remote attacks and privilege escalation. Apache was quick to push fixing patches after they received the tip from Check Point. Users are now advised to update to version 1.2.0 or later. Apache Guacamole is a particularly popular remote-work gateway that has had over 10 million docket downloads. With the Coronavirus situation, the interest of both companies and hackers towards these tools has become a lot hotter.

guacamole_figure_1
Source: Check Point

Check Point’s researchers found multiple vulnerabilities and a way to link them to a working exploitation chain. The result could be a full takeover of the Guacamole gateway and all of the connected sessions. The following short video briefly demonstrates the cyber attack.

As explained, Check Point had already done research on FreeRDP 2.0.0, which is a remote desktop protocol client used by Guacamole. Thus, they already knew about the flaws that plagued that component and had something to begin with. Here is a list of the flaws that affect Apache Guacamole 1.1.0:

  • CPR-ID-2141 / CVE-2020-9497 – Information disclosure vulnerability
  • CPR-ID-21412 / CVE-2020-9497 – Information disclosure vulnerability
  • CPR-ID-21413 / CVE-2020-9497 – Information disclosure vulnerability
  • CPR-ID-2144 / CVE-2020-9498 – Memory corruption vulnerability
  • CPR-ID-2145 and CPR-ID-2146 – Out-of-Bounds reads in FreeRDP

By exploiting the above flaws, the researchers can achieve a privilege escalation scenario that begins by taking over a single “guacd” process. The next step is to connect to the primary process over TCP port 4822, essentially jumping from lower to higher privileges. Next, content and layout are harvested from memory. From there, an attacker would request to join all of the existing connections by supplying the UUIDs that were “stolen” previously. In this stage, the actor may even turn on the “read-only” privilege in the connections, even if they’re not the owners. Finally, for any session that begins after the guacd process has been taken over, the attacker would simply have to repeat the exploit chain all over again.

guac_pe_fig_1
Source: Check Point

This report is highly critical because it does not present a way to compromise a single computer, but the gateway that handles all remote sessions on an organization’s network. If attackers were to launch an attack as previously described, they would be able to eavesdrop all communications that pass through the gateway, record all credentials used, and even start new sessions to access computers that are out of reach.

REVIEW OVERVIEW

Recent Articles

How to Watch FireKeepers Casino 400 Online: Live Stream NASCAR

We have another NASCAR Cup Series race just around the corner, which is the FireKeepers Casino 400. We plan on watching the FireKeepers Casino...

How to Watch Diesel Brothers: Monster Jam Breaking World Records Live Online

The Diesel Brothers are back for a special event on Discovery, in which they're going to try to set seven new Guinness World Records....

How to Find and Use Your ExpressVPN Activation Code – Plus, a Troubleshooting Guide to Activating ExpressVPN!

To activate ExpressVPN’s premium apps, you’ll need to supply an activation code. So, let’s talk about how to find and use your ExpressVPN activation...