version question

["Ostrom, Erik" <er...@wsu.edu>]

Hi Guac users,

A colleague of mine sent over this article (https://threatpost.com/apache-guacamole-control-remote-footprint/157124/) talking about some CVEs that affected older versions of Apache Guacamole.
[https://media.threatpost.com/wp-content/uploads/sites/103/2020/07/02121258/guacamole-e1593706413101.jpg]<https://threatpost.com/apache-guacamole-control-remote-footprint/157124/>
Apache Guacamole Opens Door for Total Control of Remote Footprint | Threatpost<https://threatpost.com/apache-guacamole-control-remote-footprint/157124/>
Apache Guacamole, a popular infrastructure for enabling remote working, is vulnerable to a slew of security bugs related to the Remote Desktop Protocol (RDP), researchers have warned.
threatpost.com

At the end of the article, there is a quote that puzzled me a bit:
Apache fixed all of these issues with the release of version 1.2.02 on June 28.
I wasn't aware of a 1.2.02 release...
Looking at the security reports page of the Apache Guacamole website (https://guacamole.apache.org/security/) mentions that the above article's CVEs have been "Fixed in Apache Guacamole 1.2.0". (emphasis mine, and no mention of 1.2.02)
Apache Guacamole™: Security Reports<https://guacamole.apache.org/security/>
Security Reports. This page lists all security vulnerabilities fixed in released versions of Apache Guacamole. Each vulnerability is listed with a description of the problem, its associated CVE number, and the Guacamole release in which the vulnerability was fixed.. Reporting new vulnerabilities
guacamole.apache.org

In our environment, we run Docker instances of guad and guacamole. Referencing tags available for Guacamole on Docker Hub (https://hub.docker.com/r/guacamole/guacamole/tags) the latest versioned release I see is 1.2.0 (latest also points to 1.2.0 in case you were wondering). Looking at the logs from my systems, I see references to guacd starting version 1.2.0 as well.
Additionally, referencing the Guacamole Releases page (https://guacamole.apache.org/releases/) lists the release date of 1.2.0 as 2020-06-28, the same date the article claims 1.2.02 was released.

Now getting to my actual questions:
Is there such a thing as 1.2.02? Are the images on Docker Hub just behind?
...or maybe this article is just incorrect in referencing that version?

Thanks,
Erik


______________________________________

Erik Ostrom

Systems Administrator

Voiland College of Engineering and Architecture

Washington State University


Office: WSU Tri-Cities CIC 225

email: erik.ostrom@wsu.edu

phone: (509) 335-4922


(Help me help you! Generate a support ticket by visiting support.vcea.wsu.edu/open.php, or by sending an email to support.vcea@wsu.edu)

Re: version question

["Ostrom, Erik" <er...@wsu.edu>]

Thanks Mike.

I wasn't too concerned, I had read the CVEs but I was more on the "better safe than sorry" bus.
Thanks for clarifying on the version. I'll let the author know about the typo.

Best,
Erik

Get Outlook for Android<https://aka.ms/ghei36>

________________________________
From: Mike Jumper <mj...@apache.org>
Sent: Monday, August 10, 2020 11:13:02 AM
To: user@guacamole.apache.org <us...@guacamole.apache.org>
Subject: Re: version question

On Mon, Aug 10, 2020 at 10:45 AM Ostrom, Erik <er...@wsu.edu>> wrote:
Hi Guac users,

A colleague of mine sent over this article (https://threatpost.com/apache-guacamole-control-remote-footprint/157124/<https://urldefense.com/v3/__https://threatpost.com/apache-guacamole-control-remote-footprint/157124/__;!!JmPEgBY0HMszNaDT!5ZfgiYzrTPqE_Sj-ggGneJ28MFszT5wI2G_Rz8IaGZ5Sqq5ECcKdAKHSsUp9ancU5w$>) talking about some CVEs that affected older versions of Apache Guacamole. ... At the end of the article, there is a quote that puzzled me a bit:
Apache fixed all of these issues with the release of version 1.2.02 on June 28.
I wasn't aware of a 1.2.02 release...

There is no such release, and that is presumably a typo in the article. The latest release is 1.2.0.

I would also like to caution that there is quite a bit of sensationalism within the third-party announcements/articles that I have seen circulating. I suggest you read the raw descriptions of the issues provided by the project [1], the CVSS analysis within NVD [2][3], etc. and consider the degree of your own exposure/risk. There are also other third-party announcements that take a more objective approach, like that published by Pulse Secure [4] and by my day job (Glyptodon) [5].

Overall, there are two CVEs in question with respect to Apache Guacamole, both of of which have the following preconditions:

* Sufficient privileges to compromise an RDP server, replacing its standard RDP service with a malicious service.
* A Guacamole user account that has already been granted access to that RDP server by the Guacamole administrator.

If those conditions are met, and an attacker were successful, the attacker could gain access equivalent to that of the Guacamole administrator (the ability to direct guacd).

Considering the above from the opposite direction, this would not affect a deployment where:

* Users do not have sufficient privileges to compromise their own remote desktops or the remote desktops of others.
* Access to remote desktops that may be compromised is not granted by a Guacamole administrator to other Guacamole users.

- Mike

[1] http://guacamole.apache.org/security/<https://urldefense.com/v3/__http://guacamole.apache.org/security/__;!!JmPEgBY0HMszNaDT!5ZfgiYzrTPqE_Sj-ggGneJ28MFszT5wI2G_Rz8IaGZ5Sqq5ECcKdAKHSsUoiVwuAkw$>
[2] https://nvd.nist.gov/vuln/detail/CVE-2020-9497<https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2020-9497__;!!JmPEgBY0HMszNaDT!5ZfgiYzrTPqE_Sj-ggGneJ28MFszT5wI2G_Rz8IaGZ5Sqq5ECcKdAKHSsUq2UE2rGg$>
[3] https://nvd.nist.gov/vuln/detail/CVE-2020-9498<https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2020-9498__;!!JmPEgBY0HMszNaDT!5ZfgiYzrTPqE_Sj-ggGneJ28MFszT5wI2G_Rz8IaGZ5Sqq5ECcKdAKHSsUqSpzVoQA$>
[4] https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44525<https://urldefense.com/v3/__https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44525__;!!JmPEgBY0HMszNaDT!5ZfgiYzrTPqE_Sj-ggGneJ28MFszT5wI2G_Rz8IaGZ5Sqq5ECcKdAKHSsUrgqAjRMg$>
[5] https://enterprise.glyptodon.com/doc/latest/advisories-12813941.html<https://urldefense.com/v3/__https://enterprise.glyptodon.com/doc/latest/advisories-12813941.html__;!!JmPEgBY0HMszNaDT!5ZfgiYzrTPqE_Sj-ggGneJ28MFszT5wI2G_Rz8IaGZ5Sqq5ECcKdAKHSsUqmrvL9VA$>

Re: version question

[Mike Jumper <mj...@apache.org>]

On Mon, Aug 10, 2020 at 10:45 AM Ostrom, Erik <er...@wsu.edu> wrote:

> Hi Guac users,
>
> A colleague of mine sent over this article (
> https://threatpost.com/apache-guacamole-control-remote-footprint/157124/) talking
> about some CVEs that affected older versions of Apache Guacamole. ... At
> the end of the article, there is a quote that puzzled me a bit:
>
> *Apache fixed all of these issues with the release of version 1.2.02 on
> June 28.*
>
> I wasn't aware of a 1.2.*02* release...
>

There is no such release, and that is presumably a typo in the article. The
latest release is 1.2.0.

I would also like to caution that there is quite a bit of sensationalism
within the third-party announcements/articles that I have seen circulating.
I suggest you read the raw descriptions of the issues provided by the
project [1], the CVSS analysis within NVD [2][3], etc. and consider the
degree of your own exposure/risk. There are also other third-party
announcements that take a more objective approach, like that published by
Pulse Secure [4] and by my day job (Glyptodon) [5].

Overall, there are two CVEs in question with respect to Apache Guacamole,
both of of which have the following preconditions:

* Sufficient privileges to compromise an RDP server, replacing its standard
RDP service with a malicious service.
* A Guacamole user account that has already been granted access to that RDP
server by the Guacamole administrator.

If those conditions are met, and an attacker were successful, the attacker
could gain access equivalent to that of the Guacamole administrator (the
ability to direct guacd).

Considering the above from the opposite direction, this would not affect a
deployment where:

* Users do not have sufficient privileges to compromise their own remote
desktops or the remote desktops of others.
* Access to remote desktops that may be compromised is not granted by a
Guacamole administrator to other Guacamole users.

- Mike

[1] http://guacamole.apache.org/security/
[2] https://nvd.nist.gov/vuln/detail/CVE-2020-9497
[3] https://nvd.nist.gov/vuln/detail/CVE-2020-9498
[4] https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44525
[5] https://enterprise.glyptodon.com/doc/latest/advisories-12813941.html