[SECURITY] CVE-2020-9497: Apache Guacamole: Improper input validation of RDP static virtual channels

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[SECURITY] CVE-2020-9497: Apache Guacamole: Improper input validation of RDP static virtual channels

mjumper
Administrator
CVE-2020-9497: Improper input validation of RDP static virtual channels

Versions affected:
Apache Guacamole 1.1.0 and earlier

Description:
Apache Guacamole 1.1.0 and older do not properly validate data
received from RDP servers via static virtual channels. If a user
connects to a malicious or compromised RDP server, specially-crafted
PDUs could result in disclosure of information within the memory of
the guacd process handling the connection.

Mitigation:
Users of versions of Apache Guacamole 1.1.0 and older that provide
access to untrusted RDP servers should upgrade to 1.2.0.

Credit:
We would like to thank the GitHub Security Lab and Eyal Itkin (Check
Point Research) for reporting this issue.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: [SECURITY] CVE-2020-9497: Apache Guacamole: Improper input validation of RDP static virtual channels

DMoscovitch
Hi Mike,
Would the recent CVE's be able to affect a guacserver that did not have the guacsnd.so and guaccdr.so   linked in? (ie no sound and redirection functional)?

 danielm

-----Original Message-----
From: Mike Jumper <[hidden email]>
Sent: Wednesday, July 1, 2020 11:14 PM
To: [hidden email]; [hidden email]; [hidden email]; [hidden email]
Cc: [hidden email]; [hidden email]
Subject: [SECURITY] CVE-2020-9497: Apache Guacamole: Improper input validation of RDP static virtual channels

CVE-2020-9497: Improper input validation of RDP static virtual channels

Versions affected:
Apache Guacamole 1.1.0 and earlier

Description:
Apache Guacamole 1.1.0 and older do not properly validate data received from RDP servers via static virtual channels. If a user connects to a malicious or compromised RDP server, specially-crafted PDUs could result in disclosure of information within the memory of the guacd process handling the connection.

Mitigation:
Users of versions of Apache Guacamole 1.1.0 and older that provide access to untrusted RDP servers should upgrade to 1.2.0.

Credit:
We would like to thank the GitHub Security Lab and Eyal Itkin (Check Point Research) for reporting this issue.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] CVE-2020-9497: Apache Guacamole: Improper input validation of RDP static virtual channels

mjumper
Administrator
On Fri, Jul 3, 2020, 13:55 Daniel Moscovitch <[hidden email]> wrote:
Hi Mike,
Would the recent CVE's be able to affect a guacserver that did not have the guacsnd.so and guaccdr.so   linked in? (ie no sound and redirection functional)?

No, you would need sound, drive, printing, or audio input enabled. If you cannot upgrade, removing those should be sufficient.

You would also need to have a compromised/malicious RDP server, so this would mainly be of concern for those that provide access to untrusted servers or those whose users are administrators on those servers.

- Mike