Date: Wed, 1 Jul 2020 20:15:07 -0700 From: Mike Jumper <mjumper@...che.org> To: announce@...che.org, announce@...camole.apache.org, dev@...camole.apache.org, user@...camole.apache.org Cc: security@...camole.apache.org, oss-security@...ts.openwall.com Subject: [SECURITY] CVE-2020-9498: Apache Guacamole: Dangling pointer in RDP static virtual channel handling CVE-2020-9498: Dangling pointer in RDP static virtual channel handling Versions affected: Apache Guacamole 1.1.0 and earlier Description: Apache Guacamole 1.1.0 and older may mishandle pointers involved in processing data received via RDP static virtual channels. If a user connects to a malicious or compromised RDP server, a series of specially-crafted PDUs could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process. Mitigation: Users of versions of Apache Guacamole 1.1.0 and older that provide access to untrusted RDP servers should upgrade to 1.2.0. Credit: We would like to thank Eyal Itkin (Check Point Research) for reporting this issue.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.