Critical Apache Guacamole Flaws

[Murat BÜLBÜL <1m...@gmail.com>]

Dear all,

Is there any additional patch for this flaw? Does Guacamole 1.2.0 already
cover this?

https://thehackernews.com/2020/07/apache-guacamole-hacking.html

Best Regards
-- 


Murat BÜLBÜL

Presales Engineer

Re: Critical Apache Guacamole Flaws

[Mike Jumper <mj...@apache.org>]

On Tue, Jul 7, 2020 at 12:21 AM Murat BÜLBÜL <1m...@gmail.com>
wrote:

> Dear all,
>
> Is there any additional patch for this flaw? Does Guacamole 1.2.0 already
> cover this?
>

This was already fixed as part of 1.2.0 at the time of its release, yes.
You can see a list of the Guacamole project's own advisories, including the
versions containing the fixes for the issues listed, here:
http://guacamole.apache.org/security/

I would caution that there is quite a bit of sensationalism within the
third-party announcements that I have seen circulating. I suggest you read
the raw descriptions of the issues provided by the project and consider the
degree of your own exposure/risk.

Both of the issues in question have the following preconditions:

* Sufficient privileges to compromise an RDP server, replacing its standard
RDP service with a malicious service.
* A Guacamole user account that has been granted access to that RDP server
by the Guacamole administrator.

If those conditions are met, and an attacker were successful, the attacker
could gain access equivalent to that of the Guacamole administrator (the
ability to direct guacd).

Looking at the above from the opposite direction, this would not affect a
deployment where:

* Users do not have sufficient privileges to compromise their own remote
desktops or the remote desktops of others.
* Access to remote desktops that may be compromised is not granted by a
Guacamole administrator to other Guacamole users.

- Mike