SmartStateIndia
Case Studies Solutions

Hole-y Guacamole! Fixing critical vulnerabilities in Apache’s popular remote desktop gateway.

Just a few short months ago, for most of us the daily working routine involved going to the
office and working on the corporate computers, or plugging our laptops directly into the
corporate network. Once in a while, we’d need special access to the network while
working remotely, either via a VPN or using one of the many tools for remote connectivity.
But as we all know, we’re now in the ‘new normal’ post-Covid-19, with many doing the
majority of their work from home. And Check Point is no exception.

The initial preparation for transferring our 5000-plus employees to remote work began
mid-February 2020, during the early signs that the virus was starting to spread globally.
During this preparation process, explains Jonathan Fischbein, CISO at Check Point ,
the first step was to reassess the IT solutions that were intended to allow employees to
safely connect to the corporate network remotely, simultaneously and seamlessly. It
was critical that enabling mass remote working did not introduce any new vulnerabilities
or increase Check Point’s overall network attack surface.

“We chose two different remote access solutions, so in the event of one failing, we would
have redundancy and an alternative to enable work to continue,” says Fischbein, “One of
the solutions was based on open-source Apache Guacamole, the popular clientless
remote desktop gateway that supports standard protocols like VNC, RDP, and SSH,
together with MFA (Multi Factor Authentication), compliance checks on the BYOD side,
and several security controls like IPS, SOC anomaly detections and many more.

“However, the critical part of the solution which I was not certain about was the open-
source Guacamole Server. I needed to make sure that this open source solution was
secure enough to meet our security requirements and standards while enabling staff to
work effectively. So before we rolled the solution out, we started to investigate its
security..”


While Apache Guacamole is popular, with over 10 million of its docker downloads
worldwide, Check Point’s researchers found that some of Guacamole’s ingredients didn’t
meet the required security standards. In particular, it was vulnerable to several critical
Reverse RDP Vulnerabilities, and affected by multiple new vulnerabilities found in
FreeRDP. In particular, all versions of Guacamole that were released before January
2020 are using vulnerable versions of FreeRDP.

These vulnerabilities would allow an attacker, or any threat actor who successfully
compromises a computer inside the organization, to attack back via the Guacamole
gateway when an unsuspecting worker connect to his infected machine. This allows a
malicious actor to achieve full control over the Guacamole server, and to intercept and
control all other connected sessions.

Our research examined 2 attack vectors:
● Reverse Attack Scenario: A compromised machine inside the corporate network
will leverage the incoming benign connection and attack back via the gateway,
aiming to take it over .
● Malicious Worker Scenario: A malicious employee, together with his malicious
computer inside the network, can leverage his hold on both ends of the connection in
order to take over the gateway

“After our researchers discovered the vulnerability and notified me and the Apache team,”
says Fischbein, “We collaborated and simulated a POC on our staging environment to
apply the patch. Within 24 hours from the finding and testing, we implemented the security
fix and became the first production environment to be secured against this security
vulnerability thus ensuring that our employees can safely connect remotely”.

Disclosure and fix
Check Point disclosed the vulnerabilities to Apache & FreeRDP.
Apache patched the vulnerabilities and issued 2 CVE-IDs to the reported vulnerabilities.

Conclusion
While the global transition to remote work is a necessity in these tough times of the
coronavirus pandemic, and will continue to be present as we move to the post-corona
world, we should not neglect the security implications of such remote connections. Using
Apache Guacamole as our subject for this research, we were able to successfully
demonstrate how a compromised computer inside the organization could be used to take
over the gateway that handles all of the remote sessions into the network. Once in control
of the gateway, an attacker can eavesdrop all incoming sessions, record all the user
credentials, and even start new sessions to control the rest of the computers within the
organization. When most of the organization is working remotely, this foothold is equivalent
to a full control over the entire organizational network.

We strongly recommend organizations to make sure that their servers are up-to-date, and
that the technology they use for remote working is fully equipped with the appropriate
technology to block such attack attempts.

Check Point’s IPS blade provides protection against this threat.

Related posts

5 tips to create a safer, better-connected Live-from-Home environment

SSI Bureau

ATEN Launches Variants of High Quality Streaming Solutions

SSI Bureau

Vertiv Launches Secure KVM with Multi-Screen Display for Government and Other Critical Applications

SSI Bureau

Leave a Comment

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More