CVE-2021-41767: Private tunnel identifier may be included in the non-private details of active conne

Severity:

Medium

CVSS v3.1 base score:

4.4

CVSS v3.1 vector:

AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:X/RL:O/RC:C

Software affected

  • Glyptodon Enterprise 1.15 and older

  • Glyptodon Enterprise 2.5 and older

Description

Apache Guacamole 1.3.0 and older may incorrectly include a private tunnel identifier in the non-private details of some REST responses. This may allow an authenticated user who already has permission to access a particular connection to read from or interact with another user's active use of that same connection.

Preconditions for exploitation

  • Multiple users that share access to the same connections, which are (1) already in use and (2) originally established using the HTTP tunnel instead of WebSocket.

Results of a successful attack

  • A user with access to a connection that is already in use by another user via the HTTP tunnel is able to read instantaneous blocks of transmitted connection data, as well as transmit data over that connection.

Mitigation

Both Glyptodon Enterprise 1.x and 2.x have been patched with respect to this vulnerability. Users should evaluate their exposure/risk based on this advisory and plan to upgrade when possible.

Analysis and CVSS score breakdown

Metric
Value
Comments

Attack Vector

Network

Exploiting this vulnerability relies only on communicating with the web application through standard mechanisms, as already exposed by Guacamole's web interface.

Attack Complexity

Low

Exploiting this vulnerability requires limited technical ability, as the information in question is retrieved through standard mechanisms already exposed by Guacamole's web interface.

Privileges Required

Low

Obtaining the information in question requires a user account with access to one or more connections. Information on active connection usage can be retrieved only for connections accessible by the user.

User Interaction

Required

Another user must establish a connection before an attacker may attempt to exploit the issue.

Scope

Unchanged

The scope of information obtained does not extend beyond what Guacamole is explicitly designed to provide.

Confidentiality Impact

Low

Retrievable information is limited to instantaneous data transmitted over an active connection that the current user may also access.

Integrity

Low

Writable/modifiable information is limited to interactive data transmitted over an active connection that the current user may also access.

Availability

None

The availability of Guacamole and all related services are unaffected.

Remediation Level

Official fix available

The upstream Apache Guacamole project has released a fix via their 1.4.0 release, and this fix has been backported to all affected versions of Glyptodon Enterprise.

Report Confidence

Confirmed

Existence of the vulnerability in Apache Guacamole 1.3.0 and older has been acknowledged by the upstream Apache Guacamole project.

PreviousCVE-2020-11997: Inconsistent restriction of connection history visibilityNextCVE-2021-43999: Improper validation of SAML responses

Last updated

Was this helpful?