Security Experts:

Connect with us

Hi, what are you looking for?



Apache Guacamole Vulnerabilities Facilitate Attacks on Enterprises

Remote code execution and information disclosure vulnerabilities addressed in Apache Guacamole can be highly useful to threat actors targeting enterprises, Check Point security researchers warn.

Remote code execution and information disclosure vulnerabilities addressed in Apache Guacamole can be highly useful to threat actors targeting enterprises, Check Point security researchers warn.

An open-source remote desktop gateway, Apache Guacamole is an HTML5 web application that can be used on a broad range of devices, straight from the web browser. One of the most prominent remote access tools on the market, it is also embedded in various network accessibility and security solutions.

Guacamole includes support for protocols such as VNC, RDP, and SSH, and allows employees to access corporate computers from remote locations using only the browser. The connection, however, goes through the guacamole-server, which handles communications between the user and the target computer.

While investigating the solution, Check Point’s researchers discovered vulnerabilities that could be exploited via a compromised machine within the enterprise’s environment to take over the gateway and control the communications.

Based on the previous discovery of vulnerabilities in FreeRDP, the security researchers identified two issues in Apache Guacamole iterations that do not implement the available patches for FreeRDP. They also devised an attack that could essentially provide remote code execution capabilities.

Tracked as CVE-2020-9497 and CVE-2020-9498, the flaws are information disclosure (a collection of three bugs) and use-after-free issues, respectively.

By leveraging both vulnerabilities, Check Point’s researchers were able to implement a remote code execution (RCE) exploit allowing for a malicious corporate computer that acts as an RDP server to take control of the guacd process when the user requests to connect to an infected machine.

The researchers, who also published a video demonstrating the attack, were then able to escalate privileges (the guacd process runs with low privileges) to take over the entire gateway. In a real-life attack, that would eventually allow an adversary not only to eavesdrop on all of the connections in the gateway, but also to control the entire network.

“Using Apache Guacamole as our example target, we were able to successfully demonstrate how a compromised computer inside the organization can be used to take control of the gateway that handles all of the remote sessions into the network. Once in control of the gateway, an attacker can eavesdrop on all incoming sessions, record all the credentials used, and even start new sessions to control the rest of the computers within the organization,” Check Point notes.

The vulnerabilities were reported to Apache on March 31, silent patches were pushed in early May, and final patches were released on June 28, in Guacamole version 1.2.0.

Related: Hackers Scanning for Apache Tomcat Servers Vulnerable to Ghostcat Attacks

Related: COVID-19 Lockdown Fuels Increase in RDP Attacks

Related: Organizations Warned of Dual Threat Posed by RDP and Disruptive Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.