Combined security vulnerabilities create remote code execution risk

Security researchers at Check Point have discovered critical vulnerabilities in Apache Guacamole, a popular remote desktop application.

Critical Reverse RDP (Remote Desktop Protocol) vulnerabilities in the Apache Guacamole gateway combine to create a remote code execution risk.

If exploited, attackers could hijack the sessions of all the workers at a targeted organization, as illustrated in a demonstration video.



Apache Guacamole is also affected by vulnerabilities found in FreeRDP, the focus of an earlier research effort by Check Point, as well as some lesser information disclosure flaws.

“These vulnerabilities allow an attacker, who has already successfully compromised a computer inside the organization, to launch an attack on the Guacamole gateway when an unsuspecting worker tries to connect to an infected machine,” a technical blog post warns.

“The malicious actor can then achieve full control over the guacamole-server, and intercept and control all other connected sessions.”

Check Point adds: “When most of the organization is working remotely, this foothold is equivalent to gaining full control over the entire organizational network.”

Silent update

Apache Guacamole has clocked up more than 10 million docker downloads worldwide.

Many network accessibility and security products (including Jumpserver Fortress, Quali, and Fortigate) bundle Apache Guacamole inside their own services.

Check Point researchers uncovered flaws in the product in the process of running a security audit on the technology. The security vendor reported the problems to the Apache Foundation at the end of March.


Read more of the latest open source software security news


Apache patched the vulnerabilities in a silent commit pushed to its GitHub in May. It released an official patched version of Apache Guacamole, version 1.2.0, at the end of June.

That isn’t the end of the story when it comes to security triage, however.

Eyal Itkin, a security vulnerability researcher at Check Point, told The Daily Swig: “Multiple VPNs, PAM solutions, and Bastions are based on Apache Guacamole.

“We contacted many of the vendors in advance and now system admins should be aware of this risk and make sure the products they use are patched as well,” he added.


RECOMMENDED Azure DevOps account takeover hack earns $3,000 bug bounty