CVE-2020-9498: Dangling pointer in RDP static virtual channel handling
Severity: | Medium |
CVSS v3.1 base score: | 5.9 |
CVSS v3.1 vector: |
Software affected
Glyptodon Enterprise 1.12 and older
Glyptodon Enterprise 2.0
Description
Apache Guacamole 1.1.0 and older may mishandle pointers involved in processing data received via RDP static virtual channels. If a user connects to a malicious or compromised RDP server, a series of specially-crafted PDUs could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process.
Preconditions for exploitation
Sufficient privileges to compromise an RDP server, replacing its standard RDP service with a malicious service.
A Guacamole user account that has been granted access to that RDP server by the Guacamole administrator.
Results of a successful attack
Resource access equivalent to that of the Guacamole administrator (the ability to control guacd).
Mitigation
Both Glyptodon Enterprise 1.x and 2.x have been patched with respect to this vulnerability. Users should evaluate their exposure/risk based on this advisory and plan to upgrade when possible.
Analysis and CVSS score breakdown
| Metric | Value | Comments |
|---|---|---|
Attack Vector | Local | Exploiting this vulnerability relies on two factors: (1) a compromised or malicious RDP server and (2) a deployment of Apache Guacamole which has been configured by an administrator to connect to that RDP server. Exploiting this vulnerability thus requires a local user account on the RDP server in question. |
Attack Complexity | High | Exploiting this vulnerability requires the attacker to first compromise an RDP server to which Apache Guacamole has been configured to connect by an administrator. |
Privileges Required | High | Exploiting this vulnerability relies on two factors: (1) a compromised or malicious RDP server and (2) a deployment of Apache Guacamole which has been configured by an administrator to connect to that RDP server. Exploiting this vulnerability thus requires a local user account on the RDP server in question with sufficient privileges to replace the standard RDP service with a malicious or compromised service. |
User Interaction | None | An attacker would require no additional user interaction beyond their own. |
Scope | Unchanged | The scope of any attack remains bounded by the privileges granted to the guacd process. |
Confidentiality Impact | High | Arbitrary code executed through this vulnerability runs with the privileges of the guacd process. The executed code would be able to specifically access any information available to the guacd process, whether in memory or on disk. |
Integrity | High | Arbitrary code executed through this vulnerability runs with the privileges of the guacd process. The executed code would be able to specifically access or modify any data that the guacd process itself can modify. |
Availability | High | Arbitrary code executed through this vulnerability runs with the privileges of the guacd process, and thus would be able to affect the availability of other connections or the guacd process itself. |
Exploitability | Functional exploit exists | The original reporter of the vulnerability has published examples describing how a vulnerable deployment can be exploited. |
Remediation Level | Official fix available | The upstream Apache Guacamole project has released a fix via their 1.2.0 release, and this fix has been backported to all affected versions of Glyptodon Enterprise. |
Report Confidence | Confirmed | Existence of the vulnerability in Apache Guacamole 1.1.0 and older has been acknowledged by the upstream Apache Guacamole project. |
Last updated