Security researchers have discovered multiple vulnerabilities in the Apache Guacamole remote access system used by thousands of companies to support home workers.
Apache Guacamole is a clientless remote desktop gateway that allows remote workers to access their corporate computers or virtual desktops in the cloud through a web browser. Apache Guacamole supports standard protocols such as VNC, SSH, RDP. The Guacamole server uses one of its supported protocols to connect the client to their corporate computer.
The software is open source and free to use and has proven popular with many companies during the COVID-19 pandemic for supporting a largely remote workforce. Once the software has ben installed on a server it can be used by employees to access their computers. The software has been downloaded more than 10 million times from Docker and is embedded in several products, including Fortigate and Quali.
The software, which was developed by the Apache Software Foundation, was evaluated by security researchers at Check Point at the start of the COVID-19 pandemic to determine if the solution was suitable as a remote access system to support its 5,000 strong workforce. The evaluation started in mid-February and the researchers soon identified some security issues. Further investigation uncovered even more vulnerabilities, some of which would allow an attacker to take full control of the gateway and all devices that connect to it. Reverse RDP vulnerabilities were identified in the Guacamole infrastructure and additional vulnerabilities were also identified in FreeRDP, Apache’s free implementation of RDP.
Check Point demonstrated an attack by chaining together the vulnerabilities. A memory corruption vulnerability, CVE-2020-9498, was identified along with two information disclosure bugs, grouped together under CVE-2020-9497. These were chained together in an attack only requiring privilege escalation to achieve RCE. The researchers identified a path to privilege escalation which allowed them to take full control of the gateway and achieve remote code execution.
If an attacker had already compromised a computer inside the organization, an attack could be conducted on the Guacamole gateway when an employee attempted to connect to the gateway to access their infected corporate computer, allowing the attacker to take full control of the gateway. The vulnerabilities could also be exploited by a malicious insider to take control of both ends of the connection, and then take control of the gateway.
If an attacker takes control of the gateway, all incoming sessions are put at risk. It would be possible for all credentials used to access the system to be obtained, the attacker could eavesdrop on all sessions, and could even initiate new sessions and take control of all computers in the organization. “When most of the organization is working remotely, this foothold is equivalent to gaining full control over the entire organizational network,” explained Check Point researcher Eyal Itkin.
Check Point reported the vulnerabilities to Apache in March and the flaws were patched on May 8, 2020. The official patch was released on June 28, 2020.
All versions of Apache Guacamole released prior to January 2020 use FreeRDP, so are vulnerable to attack. All companies that use Guacamole for remote access are strongly advised to update to the latest version – Version 1.2.0 or later – as soon as possible to prevent exploitation.