Per von Zweigbergk created GUACAMOLE-2291:
---------------------------------------------

             Summary: TOFU for RDP certificates not persisted when running 
guacd in Docker in its default config
                 Key: GUACAMOLE-2291
                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-2291
             Project: Guacamole
          Issue Type: Bug
          Components: guacamole-docker
            Reporter: Per von Zweigbergk


I would like to bring to attention a potential security vulnerability in guacd, 
when deployed in Docker in accordance with official instructions.

The [Installing Guacamole with 
Docker|https://guacamole.apache.org/doc/gug/guacamole-docker.html] page 
documents how to run guacd. To summarize, it expects you to run guacd and not 
perform any mounts or attach any volumes, effectively treating guacd as a 
stateless application.

Unfortunately, this isn’t exactly true when running guacd in an environment 
that uses RDP connections and uses the cert-tofu option. In this mode, guacd 
will perform TOFU (Trust On First Use) certificate validation when connecting 
to the backend RDP server. It appears that this is stored as a flat file in the 
path /home/guacd/.config/freerdp/known_hosts2 inside the Docker container. (It 
is very similar in concept to the “known_hosts” file used by OpenSSH.) This 
means that the file ends up only being stored inside of the container itself, 
and it not persisted if the container is re-created.

The risk here is that, if the guacd container is re-deployed for any reason, 
such as a software upgrade, either of guacd itself, or updating the container 
image to update any dependencies, the known_hosts2 file will be non-existent or 
empty, which means that there is an opportunity for a MITM attack to happen if 
an attacker is in the position to redirect the connection to the back-end RDP 
server. This could lead to compromise of user credentials, session hijacking, 
session sniffing, etc.

There are a few possible approaches here:
 # The Docker container documentation could be updated to support mounting 
/home/guacd/.config/freerdp/known_hosts2 as a volume or similar, in order for 
this to persist across container re-deployment.
 # The known_hosts2 file could be backed up by guacamole-server and persisted 
in the postgres database.
 # Guacd running in the docker container, or an appropriate startup script, 
could try to detect if the known_hosts2 is externally mounted or not (perhaps 
by checking mtab), and throw up a warning or an error message if it’s not 
connected to an external volume.

Since this is issue has security implications, including a MITM risk, I 
initially raised this to the private security e-mail list, and I received the 
following response from Nick Couchman:
{quote}Per,

Thanks for raising this issue with security implications privately to the 
security@ list. We appreciate your following responsible disclosure practices 
for this.

 

I definitely see your point, here, and agree that the documentation should be 
updated to document the potential of mounting a FreeRDP known_hosts2 (and 
possibly equivalent files for SSH) so that those known identities persist 
across updates of containers. It may also be worth just putting some stronger 
overall warnings on the TOFU method of certificate/identity trust. This isn't 
necessarily a Guacamole-specific issue - any situation where you have the 
potential to wipe out a known_hosts file and have to start from scratch 
represents a risk that you'll end up connecting to a host that isn't the one 
you think it is. It may be easier in a containerized environment as with guacd, 
but certainly is not limited to it.

 

Finally, in order for an attacker to use this to compromise a system, they 
would either have to time things just right, knowing the timing of a swap of 
the container, they'd have to have some knowledge of the system(s) to which the 
users are connecting, and they'd have to be able to effectively redirect the 
guacd instance to a MITM system. Certainly these things are _possible_, it just 
becomes very difficult to line up all the required pieces in a window without 
raising suspicion and have several things fall perfectly into place.

 

Overall, I'd say it is safe to just open a Jira issue for the changes and then 
open a pull request against the manual to update the dumentation.

 

-Nick
{quote}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to