On Mon, Aug 10, 2020 at 10:45 AM Ostrom, Erik <erik.ost...@wsu.edu> wrote:
> Hi Guac users, > > A colleague of mine sent over this article ( > https://threatpost.com/apache-guacamole-control-remote-footprint/157124/) > talking > about some CVEs that affected older versions of Apache Guacamole. ... At > the end of the article, there is a quote that puzzled me a bit: > > *Apache fixed all of these issues with the release of version 1.2.02 on > June 28.* > > I wasn't aware of a 1.2.*02* release... > There is no such release, and that is presumably a typo in the article. The latest release is 1.2.0. I would also like to caution that there is quite a bit of sensationalism within the third-party announcements/articles that I have seen circulating. I suggest you read the raw descriptions of the issues provided by the project [1], the CVSS analysis within NVD [2][3], etc. and consider the degree of your own exposure/risk. There are also other third-party announcements that take a more objective approach, like that published by Pulse Secure [4] and by my day job (Glyptodon) [5]. Overall, there are two CVEs in question with respect to Apache Guacamole, both of of which have the following preconditions: * Sufficient privileges to compromise an RDP server, replacing its standard RDP service with a malicious service. * A Guacamole user account that has already been granted access to that RDP server by the Guacamole administrator. If those conditions are met, and an attacker were successful, the attacker could gain access equivalent to that of the Guacamole administrator (the ability to direct guacd). Considering the above from the opposite direction, this would not affect a deployment where: * Users do not have sufficient privileges to compromise their own remote desktops or the remote desktops of others. * Access to remote desktops that may be compromised is not granted by a Guacamole administrator to other Guacamole users. - Mike [1] http://guacamole.apache.org/security/ [2] https://nvd.nist.gov/vuln/detail/CVE-2020-9497 [3] https://nvd.nist.gov/vuln/detail/CVE-2020-9498 [4] https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44525 [5] https://enterprise.glyptodon.com/doc/latest/advisories-12813941.html