Serious Flaws Discovered in Apache Guacamole Remote Access Software

Several security flaws have been discovered in the remote access system, Apache Guacamole, a system which has been implemented by many companies to allow administrators and employees to access Windows and Linux devices remotely.

The system has proven popular since the beginning of the COVID-19 pandemic for allowing staff members to work from home and connect to the corporate network. Apache Guacamole is also embedded into many network accessibility and security products including Fortress, Quali, and Fortigate and is one of the main tools on the market with over 10 million Docker downloads.

Apache Guacamole is a clientless solution, meaning remote workers do not need to download any software on their devices. They can just use a web browser to access their corporate device. System administrators only need to download the software on a server. Depending on how the system is set up, a connection is made using SSH or RDP with Guacamole acting as an intermediary between the browser and the device the user wants to link up to, relaying communications between the two.

Check Point Research reviewed Apache Guacamole and found several reverse RDP vulnerabilities in Apache Guacamole 1.1.0 and previous versions, and a similar flaw in FreeRDP, Apache’s free implementation of RDP. The flaws could be targeted by remote hackers to achieve code execution, allowing them to hijack servers and capture sensitive data by eavesdropping on conversations on remote sessions. The experts remarked that, in a situation where virtually all employees are working remotely, exploitation of these vulnerabilities would be akin to obtaining full control of the entire organizational network.

According to Check Point Research, these weaknesses could be targeted in two ways. If a hacker already has a foothold in the network and has compromised a desktop computer, the flaws could be exploited to attack the Guacamole gateway when a remote worker tries to login and access the device. The attacker could then take full management of the gateway and any remote connections. The flaws could also be exploited by a malicious insider to gain access to the computers of other workers in the group.

The flaws could make it possible for Heartbleed-style information disclosure, as was demonstrated by the researchers, and also permit read and write access to the susceptible server. The researchers linked the flaws together, elevated privileges to admin, then achieved remote code execution. The vulnerabilities, grouped together under the CVEs CVE-2020-9497 and CVE-2020-9498, were made known to the Apache Software Foundation and patches were made available on June 28, 2020.

The experts also found the vulnerability CVE-2018-8786 in FreeRDP could also be used to take management of the gateway. All versions of FreeRDP prior to January 2020 – version 2.0.0-rc4 – are using vulnerable versions of FreeRDP with the CVE-2020-9498 flaw.

All groups that have implemented Apache Guacamole should ensure they have the most recent version of Apache Guacamole downloaded to their servers.