Serious Flaws Discovered in Apache Guacamole Remote Access Software

by | Jul 5, 2020

Several security flaws have been discovered in the remote access system, Apache Guacamole, a system which has been implemented by many companies to allow administrators and employees to access Windows and Linux devices remotely.

The system has proven popular since the beginning of the COVID-19 pandemic for allowing staff members to work from home and connect to the corporate network. Apache Guacamole is also embedded into many network accessibility and security products including Fortress, Quali, and Fortigate and is one of the main tools on the market with over 10 million Docker downloads.

Apache Guacamole is a clientless solution, meaning remote workers do not need to download any software on their devices. They can just use a web browser to access their corporate device. System administrators only need to download the software on a server. Depending on how the system is set up, a connection is made using SSH or RDP with Guacamole acting as an intermediary between the browser and the device the user wants to link up to, relaying communications between the two.

Check Point Research reviewed Apache Guacamole and found several reverse RDP vulnerabilities in Apache Guacamole 1.1.0 and previous versions, and a similar flaw in FreeRDP, Apache’s free implementation of RDP. The flaws could be targeted by remote hackers to achieve code execution, allowing them to hijack servers and capture sensitive data by eavesdropping on conversations on remote sessions. The experts remarked that, in a situation where virtually all employees are working remotely, exploitation of these vulnerabilities would be akin to obtaining full control of the entire organizational network.

According to Check Point Research, these weaknesses could be targeted in two ways. If a hacker already has a foothold in the network and has compromised a desktop computer, the flaws could be exploited to attack the Guacamole gateway when a remote worker tries to login and access the device. The attacker could then take full management of the gateway and any remote connections. The flaws could also be exploited by a malicious insider to gain access to the computers of other workers in the group.

The flaws could make it possible for Heartbleed-style information disclosure, as was demonstrated by the researchers, and also permit read and write access to the susceptible server. The researchers linked the flaws together, elevated privileges to admin, then achieved remote code execution. The vulnerabilities, grouped together under the CVEs CVE-2020-9497 and CVE-2020-9498, were made known to the Apache Software Foundation and patches were made available on June 28, 2020.

The experts also found the vulnerability CVE-2018-8786 in FreeRDP could also be used to take management of the gateway. All versions of FreeRDP prior to January 2020 – version 2.0.0-rc4 – are using vulnerable versions of FreeRDP with the CVE-2020-9498 flaw.

All groups that have implemented Apache Guacamole should ensure they have the most recent version of Apache Guacamole downloaded to their servers.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy