guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <mike.jum...@guac-dev.org>
Subject Re: Security Vulnerabilities?
Date Wed, 14 Dec 2016 19:47:05 GMT
On Wed, Dec 14, 2016 at 10:27 AM, Ray Jantz <ray.jantz@gmail.com> wrote:
> Hi,
>
> I need to persuade a sys admin that guacamole is secure enough to deploy in
> an enterprise.

That is exactly Guacamole's intended use.

> Security is not one of my strong points, so I'm wondering if
> anyone can comment on this subject and maybe offer some talking points I can
> use?
>

We do have code review processes in place intended to prevent this
sort of thing, as well as automated static analysis scans via CI.
There are no current known vulnerabilities. Historically, there have
been two reported vulnerabilities, both of which were fixed:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4415
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1566 (see
https://glyptodon.org/jira/browse/GUAC-1465)

In general, I would argue that the architecture of Guacamole actually
serves to increase the security of a remote desktop deployment. Its
nature as a gateway reduces overall attack surface, with all traffic
routed through an authentication layer and strong encryption (assuming
you set up proper SSL/TLS, of course). That gateway aspect also allows
admins to more tightly control which remote desktops can and cannot be
accessed by authorized users, rather than exposing access to an entire
subnet of remote desktops via VPN, for example.

Thanks,

- Mike

Mime
View raw message