Thanks Mike. I wasn't too concerned, I had read the CVEs but I was more on the "better safe than sorry" bus. Thanks for clarifying on the version. I'll let the author know about the typo.
Best, Erik Get Outlook for Android<https://aka.ms/ghei36> ________________________________ From: Mike Jumper <[email protected]> Sent: Monday, August 10, 2020 11:13:02 AM To: [email protected] <[email protected]> Subject: Re: version question On Mon, Aug 10, 2020 at 10:45 AM Ostrom, Erik <[email protected]<mailto:[email protected]>> wrote: Hi Guac users, A colleague of mine sent over this article (https://threatpost.com/apache-guacamole-control-remote-footprint/157124/<https://urldefense.com/v3/__https://threatpost.com/apache-guacamole-control-remote-footprint/157124/__;!!JmPEgBY0HMszNaDT!5ZfgiYzrTPqE_Sj-ggGneJ28MFszT5wI2G_Rz8IaGZ5Sqq5ECcKdAKHSsUp9ancU5w$>) talking about some CVEs that affected older versions of Apache Guacamole. ... At the end of the article, there is a quote that puzzled me a bit: Apache fixed all of these issues with the release of version 1.2.02 on June 28. I wasn't aware of a 1.2.02 release... There is no such release, and that is presumably a typo in the article. The latest release is 1.2.0. I would also like to caution that there is quite a bit of sensationalism within the third-party announcements/articles that I have seen circulating. I suggest you read the raw descriptions of the issues provided by the project [1], the CVSS analysis within NVD [2][3], etc. and consider the degree of your own exposure/risk. There are also other third-party announcements that take a more objective approach, like that published by Pulse Secure [4] and by my day job (Glyptodon) [5]. Overall, there are two CVEs in question with respect to Apache Guacamole, both of of which have the following preconditions: * Sufficient privileges to compromise an RDP server, replacing its standard RDP service with a malicious service. * A Guacamole user account that has already been granted access to that RDP server by the Guacamole administrator. If those conditions are met, and an attacker were successful, the attacker could gain access equivalent to that of the Guacamole administrator (the ability to direct guacd). Considering the above from the opposite direction, this would not affect a deployment where: * Users do not have sufficient privileges to compromise their own remote desktops or the remote desktops of others. * Access to remote desktops that may be compromised is not granted by a Guacamole administrator to other Guacamole users. - Mike [1] http://guacamole.apache.org/security/<https://urldefense.com/v3/__http://guacamole.apache.org/security/__;!!JmPEgBY0HMszNaDT!5ZfgiYzrTPqE_Sj-ggGneJ28MFszT5wI2G_Rz8IaGZ5Sqq5ECcKdAKHSsUoiVwuAkw$> [2] https://nvd.nist.gov/vuln/detail/CVE-2020-9497<https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2020-9497__;!!JmPEgBY0HMszNaDT!5ZfgiYzrTPqE_Sj-ggGneJ28MFszT5wI2G_Rz8IaGZ5Sqq5ECcKdAKHSsUq2UE2rGg$> [3] https://nvd.nist.gov/vuln/detail/CVE-2020-9498<https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2020-9498__;!!JmPEgBY0HMszNaDT!5ZfgiYzrTPqE_Sj-ggGneJ28MFszT5wI2G_Rz8IaGZ5Sqq5ECcKdAKHSsUqSpzVoQA$> [4] https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44525<https://urldefense.com/v3/__https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44525__;!!JmPEgBY0HMszNaDT!5ZfgiYzrTPqE_Sj-ggGneJ28MFszT5wI2G_Rz8IaGZ5Sqq5ECcKdAKHSsUrgqAjRMg$> [5] https://enterprise.glyptodon.com/doc/latest/advisories-12813941.html<https://urldefense.com/v3/__https://enterprise.glyptodon.com/doc/latest/advisories-12813941.html__;!!JmPEgBY0HMszNaDT!5ZfgiYzrTPqE_Sj-ggGneJ28MFszT5wI2G_Rz8IaGZ5Sqq5ECcKdAKHSsUqmrvL9VA$>
