guacamole-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <mjum...@apache.org>
Subject [SECURITY] CVE-2020-9498: Apache Guacamole: Dangling pointer in RDP static virtual channel handling
Date Thu, 02 Jul 2020 03:15:07 GMT
CVE-2020-9498: Dangling pointer in RDP static virtual channel handling

Versions affected:
Apache Guacamole 1.1.0 and earlier

Description:
Apache Guacamole 1.1.0 and older may mishandle pointers involved in
processing data received via RDP static virtual channels. If a user
connects to a malicious or compromised RDP server, a series of
specially-crafted PDUs could result in memory corruption, possibly
allowing arbitrary code to be executed with the privileges of the
running guacd process.

Mitigation:
Users of versions of Apache Guacamole 1.1.0 and older that provide
access to untrusted RDP servers should upgrade to 1.2.0.

Credit:
We would like to thank Eyal Itkin (Check Point Research) for reporting
this issue.

---------------------------------------------------------------------
To unsubscribe, e-mail: announce-unsubscribe@guacamole.apache.org
For additional commands, e-mail: announce-help@guacamole.apache.org


Mime
View raw message