Apache Guacamole Flaw – RDP at Risk
Apache Guacamole, a popular open-source, clientless remote desktop gateway that supports protocols like VNC, RDP, and SSH, has been recently found to have multiple critical reverse RDP vulnerabilities. The flaws, first reported by Check Point Research, could potentially let threat actors achieve full control over the targeted Guacamole server, intercept, and control all other connected sessions. Check Point Research has found that all versions of Guacamole that were released prior to January of this year are using vulnerable versions of the software. A threat actor looking exploit this vulnerability would first need to compromise a system inside the organization and then once the exploited machine is accessed remotely via Guacamole, the threat actor would then be able to compromise the victim’s remote machine.
The researchers at Check Point analyzed two potential attack vectors: Reverse Attack Scenario and Malicious Worker Scenario. In the former, a compromised machine inside the company network will leverage the incoming connection and attack back via Guacamole, aiming to take it over; in the latter, a malicious employee, together with his or her computer inside the network, can leverage hold on both ends of the connection in order to take over the gateway.
Check Point researchers were quickly able to duplicate the exploit in a lab setting and quickly set up a proof-of-concept to send back to the Apache team. Together, researchers were able to build a patch within 24 hours of first finding the vulnerability.
“Within 24 hours from the finding and testing, we implemented the security fix and became the first production environment to be secured against this security vulnerability, thus ensuring that our employees can safely connect remotely,” says Jonathan Fischbein, CISO at Check Point.
Apache has since patched the vulnerabilities and issued 2 CVE-IDs to the reported vulnerabilities.
It’s important to note that when most of an organization is working remotely, if a threat actor is able to leverage an exploit to the extent of the previously discussed Apache Guacamole, that foothold is equivalent to having full control over the entire target’s network. It is strongly recommended that organizations make sure that their servers are up-to-date and that they are following a robust patch cycle.
Sources: