Check Point Uncovers Apache Guacamole Security Flaws

Check Point Software Technologies researchers have found Apache Guacamole security flaws that could threaten remote work.

Apache Guacamole is free open-source software. It has more than 10 million downloads. The software allows remote workers to access their company’s computer network from anywhere using only a web browser.

Through the Apache Guacamole security flaws, threat actors could eavesdrop on remote sessions. They could also record credentials used and control computers within the organization.

Apache Guacamole runs on many devices, including mobile phones and tablets.

Potential Damage from Apache Guacamole Security Flaws

Omri Herscovici is team leader for Check Point‘s vulnerability research team. He said the damage malicious hackers can inflict includes any of the imaginable categories that apply when compromising a machine. Those include stealing personal information or installing ransomware.

Check Point’s Omri Herscovici

“However, in this case it gets much worse because the infrastructure at hand doesn’t just give the attacker control over the specific machine; rather, it allows them to do lateral movement inside the network, meaning expanding their foothold to other computers of the organization,” he said. “So the potential damage multiplies.”

A threat actor with access to a computer inside an organization can execute a Reverse RDP attack. In this attack, a remote PC infected with certain malware takes over a client that tries to connect to it.

A Reverse RDP attack enables someone to take control of the Apache Guacamole gateway that handles a network’s remote sessions. Once in control of the gateway, the attacker could eavesdrop on all incoming sessions. They could also record all of the credentials used, and even control other sessions within the organization.

Check Point researchers say this foothold is equivalent to gaining full control over the entire organizational network.

Check Point researchers classified their findings into two attack vectors:

• Reverse attack scenario: A compromised machine inside the corporate network leverages the incoming benign connection to attack the Apache Guacamole gateway, aiming to take it over.
• Malicious worker scenario: A rogue employee uses a computer inside the network to leverage his/her hold on both ends of the connection and take control of the gateway.

Pandemic Increases Danger

“While the global transition to remote work is a necessity in these trying times, we should not neglect the security implications of such remote connections, especially as we enter the post-[COVID-19] era,” Herscovici said. “This research demonstrates how a quick change in the social landscape directly affects what attackers might focus their efforts on. In this case, it’s remote work. The fact that more and more companies have externalized many internally used services to the outside world opens a number of new potential attack surfaces for threat actors. I strongly urge companies and organizations to keep their servers up to date to protect their remote workforces.”

The security flaws are now fixed, but others could pop up that once again increase the threat, Herscovici said.

“Our inspection of this project was time-constrained, and what we found was immediately reported to the developers of the software. New vulnerabilities can always come up, and the maintainers of the project should always be actively looking for them,” he said.

Given the nature of cybersecurity, being a cat-and-mouse game, organizations should always be aware of potentially using old vulnerable versions of various software, Herscovici said.

“The first thing they should do right now is update the version of Apache Guacamole to its newest patched version. At Check Point Research, we believe that cybersecurity teams should be constantly auditing the programs used online in order to find bugs before the bad guys find them,” he said. “Finding vulnerabilities and responsibly disclosing them might assist defenders to be one step ahead of the attackers.”