|CVSS v3.1 base score:||1.8|
|CVSS v3.1 vector:||AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C|
- Glyptodon Enterprise 1.12 and older
- Glyptodon Enterprise 2.0
Apache Guacamole 1.1.0 and older do not properly validate data received from RDP servers via static virtual channels. If a user connects to a malicious or compromised RDP server, specially-crafted PDUs could result in disclosure of information within the memory of the guacd process handling the connection.
Preconditions for exploitation
- Sufficient privileges to compromise an RDP server, replacing its standard RDP service with a malicious service.
- A Guacamole user account that has been granted access to that RDP server by the Guacamole administrator.
Results of a successful attack
- Non-directable access to information otherwise only available to the Guacamole administrator (information within the memory of guacd).
Both Glyptodon Enterprise 1.x and 2.x have been patched with respect to this vulnerability. Users should evaluate their exposure/risk based on this advisory and plan to upgrade when possible.
Analysis and CVSS score breakdown
|Attack Vector||Local||Exploiting this vulnerability relies on two factors: (1) a compromised or malicious RDP server and (2) a deployment of Apache Guacamole which has been configured by an administrator to connect to that RDP server. Exploiting this vulnerability thus requires a local user account on the RDP server in question.|
|Attack Complexity||High||Exploiting this vulnerability requires the attacker to first compromise an RDP server to which Apache Guacamole has been configured to connect by an administrator.|
|Privileges Required||High||Exploiting this vulnerability relies on two factors: (1) a compromised or malicious RDP server and (2) a deployment of Apache Guacamole which has been configured by an administrator to connect to that RDP server. Exploiting this vulnerability thus requires a local user account on the RDP server in question with sufficient privileges to replace the standard RDP service with a malicious or compromised service.|
|User Interaction||None||An attacker would require no additional user interaction beyond their own.|
|Scope||Unchanged||The information disclosed via a successful attack is limited to the information already accessible to the guacd process.|
|Confidentiality Impact||Low||The information disclosed via a successful attack is limited to the information within the memory of the guacd process and cannot be specifically targeted. The attacker does not have control over what information is obtained.|
|Integrity||None||No modification of data is possible through exploiting this vulnerability.|
|Availability||None||Each new connection runs within its own, dedicated child process of guacd. It is possible for an attempt to exploit this vulnerability to cause a crash of that child process (to cause the connection to the compromised/malicious RDP server to disconnect), however the impact is limited to the individual connection being serviced by that process.|
|Exploitability||Functional exploit exists||One of the original reporters of the vulnerability has published examples describing how a vulnerable deployment can be exploited.|
|Remediation Level||Official fix available||The upstream Apache Guacamole project has released a fix via their 1.2.0 release, and this fix has been backported to all affected versions of Glyptodon Enterprise.|
|Report Confidence||Confirmed||Existence of the vulnerability in Apache Guacamole 1.1.0 and older has been acknowledged by the upstream Apache Guacamole project.|