Check Point researchers find security flaws in one of the world’s most
popular IT infrastructures for remote work. Through the vulnerabilities, threat
actors could eavesdrop on remote sessions, record credentials used, and control
computers within the organization.
· Vulnerabilities
found in Apache Guacamole, a free and open sourced software with over 10
million downloads
· Two attack
vectors applicable in what researchers say lead to “full control over the
entire organizational network”
· Security
flaws now fixed; Researchers urge organizations everywhere to update their
corporate servers now
Researchers
at Check Point identified security flaws in Apache Guacamole, one of the
world’s most popular IT infrastructures for remote work. With over 10 million
downloads, the free and open sourced software enables remote workers to access
their company’s computer network from anywhere, by using only a web browser.
Apache Guacamole runs on many devices, including mobile phones and tablets,
giving remote workers “constant, world-wide, unfettered access to your
computers”, according to the software’s creators.
Eyal
Itkin, a Vulnerability Researcher at Check Point, demonstrated that a threat
actor with access to a computer inside an organization, can execute a Reverse RDP attack, an attack in which
a remote PC infected with certain malware takes over a client that tries to
connect to it. In this case, the Reverse RDP attack would enable a threat actor
to take control of the Apache Guacamole gateway that handles all of the remote sessions
in a network.
Once
in control of the gateway, an attacker could eavesdrop on all incoming
sessions, record all the credentials used, and even control other sessions
within the organization. Check Point researchers say this foothold is
equivalent to gaining full control over the entire organizational network.
Two Attack Vectors
Check Point researchers classified their
findings into two attack vectors:
· 1Reverse Attack Scenario: A compromised machine inside the corporate
network leverages the incoming benign connection to attack the Apache gateway,
aiming to take it over.
· Malicious
Worker Scenario: A rogue
employee uses a computer inside the network to leverage his hold on both ends
of the connection and take control of the gateway.
Quote: Omri
Herscovici, Vulnerability Research Team Leader at Check Point:
“While the global transition to remote
work is a necessity in these trying times, we should not neglect the security
implications of such remote connections, especially as we enter the post-corona
era. This research demonstrates how a quick change in the social landscape
directly affects what attackers might focus their efforts on. In this case,
it’s remote work. The fact that more and more companies have externalized many
internally-used services to the outside world opens a number of new potential
attack surfaces for threat actors. I strongly urge companies and organizations
to keep their servers up-to-date to protect their remote workforces.”
Responsible
Disclosure:
Check Point Research responsibly
disclosed its findings to Apache, the maintainers of Guacamole, on March 31.
Apache released a patched version in June 2020.
