CVE-2020-9497/9498: Apache Guacamole Gateway Remote Code Execution Vulnerability Alert

Recently, Apache Guacamole officially released the risk notification for the remote code execution vulnerability in the Guacamole gateway. The vulnerability number is CVE-2020-9497/CVE-2020-9498, and the vulnerability level is medium. Apache Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH.

Apache Guacamole has a leak memory vulnerability. By attacking any remote server in Guacamole management and inducing Guacamole to connect, the attacker can completely control all remote desktop sessions of the Guacamole and its connection (including but not limited to: Upload and download any remote host file; execute any program/command on any remote host, etc.)

Vulnerability Details

• Dangling pointer in RDP static virtual channel handling (CVE-2020-9498)

  Apache Guacamole 1.1.0 and older may mishandle pointers involved in processing data received via RDP static virtual channels. If a user connects to a malicious or compromised RDP server, a series of specially-crafted PDUs could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process.

  Acknowledgements: We would like to thank Eyal Itkin (Check Point Research) for reporting this issue.

• Improper input validation of RDP static virtual channels (CVE-2020-9497)

  Apache Guacamole 1.1.0 and older do not properly validate data received from RDP servers via static virtual channels. If a user connects to a malicious or compromised RDP server, specially-crafted PDUs could result in disclosure of information within the memory of the guacd process handling the connection.

Affected version

• Apache Guacamole：< 1.2.0

Solution

In this regard, we recommend that users upgrade Apache Guacamole to 1.2.0 in time.