CVE-2020-9497

Vulnerability

Apache Guacamole versions 1.1.0 and older do not properly validate data received from RDP servers through static virtual channels. When a user connects to a malicious or compromised RDP server, specially crafted Protocol Data Units (PDUs) can trigger memory disclosure in the guacd process handling the connection [1]. The vulnerability resides in the RDP protocol handling code and requires no special configuration beyond a standard Guacamole deployment [1].

Exploitation

An attacker must first compromise an RDP server that a Guacamole user will connect to [1]. The attacker then sends malicious static virtual channel PDUs to the connecting Guacamole gateway [1]. No authentication bypass or prior access to the gateway is required; the exploit is triggered automatically during the normal RDP session setup and data exchange [1]. The attack does not require user interaction beyond the user initiating a connection to the target RDP server [1].

Impact

Successful exploitation results in disclosure of information from the memory of the guacd process [1]. The disclosed memory may contain sensitive data from other connected Guacamole sessions, including credentials or session content [1]. Under certain conditions, this memory leak could be chained with other vulnerabilities to achieve remote code execution on the gateway server [1].

Mitigation

Apache Guacamole 1.2.0 and later contain the fix for this vulnerability [1]. Users and administrators should upgrade to version 1.2.0 or later [1]. As of July 2020, no workaround is available for versions 1.1.0 and older [1]. Fedora package announcements provide updates but the referenced pages are inaccessible due to bot protection [2][3].