Researchers: Attackers Can Steal Data or Run Remote Code Execution
Demonstration of how attackers could use Apache Guacamole to run remote code execution (Source: Check Point Research)
Apache Guacamole, a popular, open-source application that allows for administrators or employees to remotely connect to Windows or Linux devices, contains several vulnerabilities that could allow attackers to steal data or run remote code execution, according to a report from Check Point Research.
The research specifies that Apache Guacamole servers are susceptible to multiple critical reverse remote desktop protocol vulnerabilities. If exploited, these flaws could allow an attacker to hijack a server and intercept or redirect these remote sessions. Check Point also found the Apache FreeRDP feature, which allows users to implement RDP, is vulnerable to a similar flaw.
The discovery of these issues comes at a time when employees and administrators are relying more on protocols such as RDP to connect to devices due to work-from-home policies implemented during the COVID-19 pandemic.
At the same time, hackers are taking advantage of poorly secured RDP connections to gain footholds within organizations’ networks. Earlier this month, security firm ESET noted that brute-force attacks targeting RDP connections have spiked to 100,000 incidents per day in April and May (see: Brute-Force Attacks Targeting RDP on the Rise).
“This transition from onsite to off premise work means that IT solutions for remotely connecting to the corporate network are now used more than ever,” Eyal Itkin, a researcher with Check Point, notes in the report. “This also means that any security vulnerability in these solutions will have a much greater impact, as companies rely on this technology to keep their businesses functioning.”
After discovering the vulnerabilities in Apache Guacamole in March, Check Point researchers contacted the Apache Software Foundation, and patches were issued on June 28. Both Check Point and the Apache Foundation are urging organizations to apply the patch as soon as possible.
How Guacamole Works
Guacamole allows an employee or an administrator to connect to a corporate device by using a web browser. Depending on how the network is configured, the Guacamole server selects a protocol, such as RDP or SSH, and uses an open-source client to connect to the specific device. Once connected, the Guacamole acts as a middle-man that relays messages and communications back and forth between the user and the device, Itkin notes in the report.
Since Apache released Guacamole, it has proven popular with organizations and currently has 10 million Docker downloads, according to Check Point.
An attacker who successfully exploits the vulnerabilities in Guacamole can then gain control of the gateway and the connection between the user and the device. This can lead to the attacker using remote code execution to take over the entire server and even escalate privileges, according to the report.
“These vulnerabilities allow an attacker, who has already successfully compromised a computer inside the organization, to launch an attack on the Guacamole gateway when an unsuspecting worker tries to connect to an infected machine,” Itkin notes in the report. “The malicious actor can then achieve full control over the Guacamole-server, and intercept and control all other connected sessions.”
The Check Point researchers identified two of these remote desktop protocol flaws in Apache Guacamole 1.1.0, as well as some older versions of the software.
Check Point notes there are two attack methods for exploiting these flaws. The first is if attackers already have a foothold within the network. The second is a so-called “malicious worker,” who wanted to gain access to other employees devices and communication.
The first vulnerability, which is tracked as CVE-2020-9497, relates to how Apache Guacamole validates data received from RDP servers, according to Check Point. The researchers note that by exploiting this vulnerability, they were able to implement “a massive, Heartbleed-style information disclosure.”
The second vulnerability, designated CVE-2020-9498, is a memory corruption flaw that can create a use-after-free vulnerability that would allow an attacker to read and write exploits within the vulnerable server, the report notes.
In addition to those two vulnerabilities, Check Point found a flaw in FreeRDP – dubbed CVE-2018-8786 – that can cause out-of-bounds read vulnerabilities, which in turn can allow an attacker to take over the server and intercept data, the report notes.
Although Apache issued patches for the two RDP vulnerabilities, the Check Point researchers note that attacker can still exploit the FreeRDP flaw.