Reverse RDP vulnerabilities found in Apache Guacamole remote work app

Critical flaws in the popular remote desktop application put many servers at risk since bugs can allow attackers to take full control

Popular open-source application with critical flaws

Popular open-source application with critical flaws

System administrators use the Apache Guacamole application to access and manage Windows and Linux machines remotely. This is a popular application that leaves many at risk of hacking right now.[1] Researchers reveal,[2] critical RDP vulnerabilities in the program that could lead hackers to achieve full access over the Guacamole server. Besides the control, an attacker might intercept, manage, create other connected sessions.

An attacker, who has already successfully compromised a computer inside the organization, is capable to launch an attack on the Guacamole gateway when an unsuspecting worker tries to connect to an infected machine.

The patched version was already released for Apache Guacamole, but this popular open-source program is used widely all over the world, so servers may already suffer from hacking or still be vulnerable. The company was informed and took responsibility, but the application has amassed over 10 million downloads to this date on Docker Hub, so there are many users that potentially at risk right now.[3]

Knowing that vulnerabilities in FreeRDP were only patched on version 2.0.0-rc4, this means that all versions that were released before January 2020 are using vulnerable versions of FreeRDP.

Attackers get to access the server fully if vulnerabilities get exploited

Malicious actors can take over the system by compromising the device inside the network of the company, which leverages an oncoming being connection. This is a reverse attack method. A malicious worker can use the computer inside the network and leverage his hold on both ends of the connection and take control of the gateway.

Researchers showed that to launch either of these attacks, hackers need to exploit the chain using information-disclosure bugs and the memory-corruption issue. Also, privilege exploitation is needed to get full control over the system. 

Information disclosure flaws were identified in the custom developers’ implementation of the RDP channel. This channel is used to handle audio packets from the server. One of them permits the attacker to craft a malicious message to the server. A second bug transmits the information to a connected client.

Memory corruption vulnerability can be exploited and lead to data leaks. Two of out-of-bounds reads were used in FreeRDP.[4] Memory corruption flaw presents the layer of abstraction that violates the memory safety, so dangling pointer allows the attacker to execute any code on the machine when all of these bugs get exploited in combination. 

Privilege escalation needed to freely run the attack on Guacamole server

In addition to the exploitation of those vulnerabilities, researchers found that the privilege escalation not only allows an attacker to take over the control of the Guacamole server but allows the hacker to eavesdrop on all sessions, record the used credentials, start new sessions, control other computers on the organizations’ network.

Attackers might use this pandemic time to focus on such remote work tools.[5] More people externalize those internally-used services, so it is easier for employees. However, such behavior also opens the system for potential malware attacks and reveals networks dor threat actors, so experts note:

We strongly recommend that everyone makes sure that all servers are up-to-date, and that whatever technology used for working from home is fully patched to block such attack attempts.