[SECURITY] CVE-2020-9498: Apache Guacamole: Dangling pointer in RDP static virtual channel handling

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[SECURITY] CVE-2020-9498: Apache Guacamole: Dangling pointer in RDP static virtual channel handling

mjumper
Administrator
CVE-2020-9498: Dangling pointer in RDP static virtual channel handling

Versions affected:
Apache Guacamole 1.1.0 and earlier

Description:
Apache Guacamole 1.1.0 and older may mishandle pointers involved in
processing data received via RDP static virtual channels. If a user
connects to a malicious or compromised RDP server, a series of
specially-crafted PDUs could result in memory corruption, possibly
allowing arbitrary code to be executed with the privileges of the
running guacd process.

Mitigation:
Users of versions of Apache Guacamole 1.1.0 and older that provide
access to untrusted RDP servers should upgrade to 1.2.0.

Credit:
We would like to thank Eyal Itkin (Check Point Research) for reporting
this issue.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]