Vulnerability   
Search   
    Search 191973 CVE descriptions
and 86218 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.892435
Category:Debian Local Security Checks
Title:Debian LTS: Security Advisory for guacamole-server (DLA-2435-1)
Summary:The remote host is missing an update for the 'guacamole-server'; package(s) announced via the DLA-2435-1 advisory.
Description:Summary:
The remote host is missing an update for the 'guacamole-server'
package(s) announced via the DLA-2435-1 advisory.

Vulnerability Insight:
The server component of Apache Guacamole, a remote desktop gateway,
did not properly validate data received from RDP servers. This could
result
in information disclosure or even the execution of arbitrary code.

CVE-2020-9497

Apache Guacamole does not properly validate data received from RDP
servers via static virtual channels. If a user connects to a
malicious or compromised RDP server, specially-crafted PDUs could
result in disclosure of information within the memory of the guacd
process handling the connection.

CVE-2020-9498

Apache Guacamole may mishandle pointers involved in processing data
received via RDP static virtual channels. If a user connects to a
malicious or compromised RDP server, a series of specially-crafted
PDUs could result in memory corruption, possibly allowing arbitrary
code to be executed with the privileges of the running guacd
process.

Affected Software/OS:
'guacamole-server' package(s) on Debian Linux.

Solution:
For Debian 9 stretch, these problems have been fixed in version
0.9.9-2+deb9u1.

We recommend that you upgrade your guacamole-server packages.

CVSS Score:
6.2

CVSS Vector:
AV:L/AC:H/Au:N/C:C/I:C/A:C

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2020-9497
https://research.checkpoint.com/2020/apache-guacamole-rce/
https://lists.apache.org/thread.html/r65f75d3d65d1af68141f42071ebb27dda24af3e45570e593c1dbd81f%40%3Cannounce.guacamole.apache.org%3E
https://lists.apache.org/thread.html/r3f071de70ea1facd3601e0fa894e6cadc960627ee7199437b5a56f7f@%3Cannounce.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/11/msg00010.html
https://lists.apache.org/thread.html/r181b1d5b1acb31cfa69f41b2c86ed3a2cb0b5bc09c2cbd31e9e7c847@%3Cuser.guacamole.apache.org%3E
https://lists.apache.org/thread.html/r066543f0565e97b27c0dfe27e93e8a387b99e1e35764000224ed96e7@%3Cuser.guacamole.apache.org%3E
Common Vulnerability Exposure (CVE) ID: CVE-2020-9498
https://lists.apache.org/thread.html/rff824b38ebd2fddc726b816f0e509696b83b9f78979d0cd021ca623b%40%3Cannounce.guacamole.apache.org%3E
https://lists.apache.org/thread.html/r26fb170edebff842c74aacdb1333c1338f0e19e5ec7854d72e4680fc@%3Cannounce.apache.org%3E
CopyrightCopyright (C) 2020 Greenbone Networks GmbH

This is only one of 86218 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2020 E-Soft Inc. All rights reserved.