CVE-2020-9498
First published: Thu Jul 02 2020(Updated: )
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed with the privileges of therunning guacd process.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Guacamole | <=1.1.0 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 | |
| Debian Debian Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44525
- https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r26fb170edebff842c74aacdb1333c1338f0e19e5ec7854d72e4680fc@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rff824b38ebd2fddc726b816f0e509696b83b9f78979d0cd021ca623b%40%3Cannounce.guacamole.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/11/msg00010.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TVV5K2X4EXSAVUUL7IJ3MUJ3ADWMVSBM/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNS7UHBOFV6JHWH5XOEZTE3BREGRSSQ3/
- https://research.checkpoint.com/2020/apache-guacamole-rce/
- https://lists.apache.org/thread.html/r26fb170edebff842c74aacdb1333c1338f0e19e5ec7854d72e4680fc%40%3Cannounce.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TVV5K2X4EXSAVUUL7IJ3MUJ3ADWMVSBM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNS7UHBOFV6JHWH5XOEZTE3BREGRSSQ3/
- https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E
Frequently Asked Questions
What is Apache Guacamole 1.1.0 vulnerability (CVE-2020-9498)?
Apache Guacamole 1.1.0 and older versions may mishandle pointers involved in processing data received via RDP static virtual channels, which can lead to memory corruption and potentially allow arbitrary code execution.
How severe is the Apache Guacamole 1.1.0 vulnerability (CVE-2020-9498)?
The severity of the Apache Guacamole 1.1.0 vulnerability (CVE-2020-9498) is medium, with a severity value of 6.7.
Which software versions are affected by the Apache Guacamole 1.1.0 vulnerability (CVE-2020-9498)?
Apache Guacamole 1.1.0 and older versions are affected. Fedora 32 and 33, and Debian Linux 9.0 are also affected.
How can the Apache Guacamole 1.1.0 vulnerability (CVE-2020-9498) be exploited?
If a user connects to a malicious or compromised RDP server, a series of specially-crafted Protocol Data Units (PDUs) could result in memory corruption and potentially allow arbitrary code execution.
Is there a fix available for the Apache Guacamole 1.1.0 vulnerability (CVE-2020-9498)?
Yes, it is recommended to upgrade to a patched version of Apache Guacamole to mitigate the vulnerability. Please refer to the official references for further instructions.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/references
- agent/tags
- agent/description
- agent/event
- agent/first-publish-date
- vendor/apache
- canonical/apache guacamole
- version/apache guacamole/1.1.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0