CVE-2020-9498: Dangling pointer in RDP static virtual channel handling Versions affected: Apache Guacamole 1.1.0 and earlier
Description: Apache Guacamole 1.1.0 and older may mishandle pointers involved in processing data received via RDP static virtual channels. If a user connects to a malicious or compromised RDP server, a series of specially-crafted PDUs could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process. Mitigation: Users of versions of Apache Guacamole 1.1.0 and older that provide access to untrusted RDP servers should upgrade to 1.2.0. Credit: We would like to thank Eyal Itkin (Check Point Research) for reporting this issue.