Hole-y Guacamole! Fixing critical vulnerabilities in Apache’s popular remote desktop gateway

Overview

Just a few short months ago, for most of us the daily working routine involved going to the office and working on the corporate computers, or plugging our laptops directly into the corporate network. Once in a while, we’d need special access to the network while working remotely, either via a VPN or using one of the many tools for remote connectivity.

But as we all know, we’re now in the ‘new normal’ post-Covid-19, with many doing the majority of their work from home. And Check Point is no exception.

The initial preparation for transferring our 5000-plus employees to remote work began mid-February 2020, during the early signs that the virus was starting to spread globally.  During this preparation process, explains Jonathan Fischbein, CISO at Check Point     , the first step was to reassess the IT solutions that were intended to allow employees to safely connect      to the corporate network remotely, simultaneously and seamlessly. It was critical that enabling mass remote working did not introduce any new vulnerabilities or increase Check Point’s overall network attack surface.

“We chose two different remote access solutions, so in the event of one failing, we would have redundancy and an alternative to enable work to continue,” says Fischbein, “One of the solutions was based on open-source Apache Guacamole, the popular clientless remote desktop gateway that supports standard protocols like VNC, RDP, and SSH, together with MFA (Multi Factor Authentication), compliance checks on the BYOD side, and several security controls like IPS, SOC anomaly detections and many more.

“However, the critical part  of the solution which I was not certain about was the open-     source Guacamole Server. I needed to make sure that this open source solution      was secure enough to meet our security requirements and standards while enabling staff to work effectively. So before we rolled the solution out, we started to investigate its security..”

While Apache Guacamole is popular, with over 10 million of its docker downloads worldwide, Check Point’s researchers found that some of Guacamole’s ingredients didn’t meet the required security standards. In particular, it was      vulnerable to several critical Reverse RDP Vulnerabilities , and affected by multiple new vulnerabilities found in FreeRDP .  In particular, all versions of Guacamole that were released before January 2020 are using vulnerable versions of FreeRDP.

These vulnerabilities would allow an attacker, or any threat actor who      successfully compromises a computer inside the organization, to attack back via the Guacamole gateway when an unsuspecting worker connect to his infected machine. This allows a malicious actor to achieve full control over the Guacamole      server, and to intercept and control all other connected sessions.

Our research examined 2 attack vectors:

• Reverse Attack Scenario : A compromised machine inside the corporate network will leverage the incoming benign connection and attack back via the gateway, aiming to take it over .
• Malicious Worker Scenario : A malicious employee, together with his malicious computer inside the network, can leverage his hold on both ends of the connection in order to take over the gateway

“After our researchers discovered the vulnerability and notified me and the Apache team,” says Fischbein, “We collaborated and simulated a POC on our staging environment to apply the patch. Within 24 hours from the finding and testing, we implemented the security fix and became the first production environment to be secured against this security vulnerability thus ensuring that our employees can safely connect remotely”.

Disclosure and fix

Check Point disclosed the vulnerabilities to Apache & FreeRDP.

Apache patched the vulnerabilities and issued 2 CVE-IDs to the reported vulnerabilities.

Conclusion

While the global transition to remote work is a necessity in these tough times of the coronavirus pandemic, and will continue to be present as we move to thepost -c orona world, we should not neglect the security implications of such remote connections. Using Apache Guacamole as our subject for this research, we were able to successfully demonstrate how a compromised computer inside the organization could be used to take over the gateway that handles all of the remote sessions into the network. Once in control of the gateway, an attacker can eavesdrop all incoming sessions, record all the user      credentials, and even start new sessions to control the rest of the computers within the organization. When most of the organization is working remotely, this foothold is equivalent to a full control over the entire organizational network.

We strongly recommend organizations to make sure that their servers are up-to-date, and           that the technology they use for remote working is fully equipped with the appropriate technology toblock such attack attempts.

Check Point’s IPS blade provides protection against this threat.

For full research read: http://research.checkpoint.com/guacamole