Serious Vulnerabilities Identified in Apache Guacamole Remote Access Software

A few vulnerabilities were discovered in the Apache Guacamole remote access system. Plenty of companies had been using Apache Guacamole to allow administrators and personnel to have remote access to Linux and Windows devices. The system grew to be popular throughout the COVID-19 pandemic because it helped people link to the network of their company while working from home. Apache Guacamole is built-into diverse network accessibility and security tools such as Fortigate, Fortress, and Quali. It is a noteworthy tool out there that has attained over 10 million Docker downloads.

Remote employees do not need to install any app on their devices when using Apache Guacamole. Access to their office device may be completed utilizing a web browser. The system administrator will only install the software program on a server. The system setting finds the established interconnection by using SSH or RDP while Guacamole works as a hyperlink that transmits messages from the browser to the device of the user.

Check Point Research’s investigation of Apache Guacamole resulted in the discovery of a few reverse RDP vulnerabilities in version 1.1.0 and prior versions. A similar vulnerability was seen in Apache’s free RDP execution. Attackers could remotely exploit the vulnerabilities in order to do code execution, allow the hijacking of servers, and obtain sensitive information via bugging communications that conduct remote sessions. The researchers observed that in the event that all employees are working remotely, vulnerabilities exploitation could lead to having total control of the whole organizational system.

Check Point Research mentioned two ways of exploiting the vulnerabilities. After getting access to a compromised PC and network, a hacker could exploit the Guacamole gateway vulnerabilities as soon as a remote employee tries to sign in and use the device. He can control the gateway as well as the remote systems. Further exploitation by a malicious insider could give access to the computers of other employees within the network.

The vulnerabilities can grant Heartbleed-style data disclosure and give the attacker a read and write access to the insecure server. Check Point Research put together the vulnerabilities CVE-2020-9497 and CVE-2020-9498, mentioned administrator privileges, and obtained remote code execution. The researchers reported the bundled vulnerabilities to the Apache Software Foundation. On June 28, 2020, the patches became available.

The researchers also found vulnerability CVE-2018-8786 in the FreeRDP, which when exploited could lead to manipulation of the gateway. All FreeRDP versions preceding version 2.0.0-rc4 in January 2020 use FreeRDP versions that had the CVE-2020-9498 vulnerability.

All companies that used Apache Guacamole should make sure to install the latest version of Apache Guacamole on their servers.