[ 
https://issues.apache.org/jira/browse/GUACAMOLE-2291?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Nick Couchman updated GUACAMOLE-2291:
-------------------------------------
    Component/s: Documentation
                     (was: guacamole-docker)

> TOFU for RDP certificates not persisted when running guacd in Docker in its 
> default config
> ------------------------------------------------------------------------------------------
>
>                 Key: GUACAMOLE-2291
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-2291
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: Documentation
>            Reporter: Per von Zweigbergk
>            Priority: Major
>
> I would like to bring to attention a potential security vulnerability in 
> guacd, when deployed in Docker in accordance with official instructions.
> The [Installing Guacamole with 
> Docker|https://guacamole.apache.org/doc/gug/guacamole-docker.html] page 
> documents how to run guacd. To summarize, it expects you to run guacd and not 
> perform any mounts or attach any volumes, effectively treating guacd as a 
> stateless application.
> Unfortunately, this isn’t exactly true when running guacd in an environment 
> that uses RDP connections and uses the cert-tofu option. In this mode, guacd 
> will perform TOFU (Trust On First Use) certificate validation when connecting 
> to the backend RDP server. It appears that this is stored as a flat file in 
> the path /home/guacd/.config/freerdp/known_hosts2 inside the Docker 
> container. (It is very similar in concept to the “known_hosts” file used by 
> OpenSSH.) This means that the file ends up only being stored inside of the 
> container itself, and it not persisted if the container is re-created.
> The risk here is that, if the guacd container is re-deployed for any reason, 
> such as a software upgrade, either of guacd itself, or updating the container 
> image to update any dependencies, the known_hosts2 file will be non-existent 
> or empty, which means that there is an opportunity for a MITM attack to 
> happen if an attacker is in the position to redirect the connection to the 
> back-end RDP server. This could lead to compromise of user credentials, 
> session hijacking, session sniffing, etc.
> There are a few possible approaches here:
>  # The Docker container documentation could be updated to support mounting 
> /home/guacd/.config/freerdp/known_hosts2 as a volume or similar, in order for 
> this to persist across container re-deployment.
>  # The known_hosts2 file could be backed up by guacamole-server and persisted 
> in the postgres database.
>  # Guacd running in the docker container, or an appropriate startup script, 
> could try to detect if the known_hosts2 is externally mounted or not (perhaps 
> by checking mtab), and throw up a warning or an error message if it’s not 
> connected to an external volume.
> Since this is issue has security implications, including a MITM risk, I 
> initially raised this to the private security e-mail list, and I received the 
> following response from Nick Couchman:
> {quote}Per,
> Thanks for raising this issue with security implications privately to the 
> security@ list. We appreciate your following responsible disclosure practices 
> for this.
>  
> I definitely see your point, here, and agree that the documentation should be 
> updated to document the potential of mounting a FreeRDP known_hosts2 (and 
> possibly equivalent files for SSH) so that those known identities persist 
> across updates of containers. It may also be worth just putting some stronger 
> overall warnings on the TOFU method of certificate/identity trust. This isn't 
> necessarily a Guacamole-specific issue - any situation where you have the 
> potential to wipe out a known_hosts file and have to start from scratch 
> represents a risk that you'll end up connecting to a host that isn't the one 
> you think it is. It may be easier in a containerized environment as with 
> guacd, but certainly is not limited to it.
>  
> Finally, in order for an attacker to use this to compromise a system, they 
> would either have to time things just right, knowing the timing of a swap of 
> the container, they'd have to have some knowledge of the system(s) to which 
> the users are connecting, and they'd have to be able to effectively redirect 
> the guacd instance to a MITM system. Certainly these things are _possible_, 
> it just becomes very difficult to line up all the required pieces in a window 
> without raising suspicion and have several things fall perfectly into place.
>  
> Overall, I'd say it is safe to just open a Jira issue for the changes and 
> then open a pull request against the manual to update the dumentation.
>  
> -Nick
> {quote}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to