[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 1 Jul 2020 20:15:07 -0700
From: Mike Jumper <mjumper@...che.org>
To: announce@...che.org, announce@...camole.apache.org,
dev@...camole.apache.org, user@...camole.apache.org
Cc: security@...camole.apache.org, oss-security@...ts.openwall.com
Subject: [SECURITY] CVE-2020-9498: Apache Guacamole: Dangling pointer in RDP
static virtual channel handling
CVE-2020-9498: Dangling pointer in RDP static virtual channel handling
Versions affected:
Apache Guacamole 1.1.0 and earlier
Description:
Apache Guacamole 1.1.0 and older may mishandle pointers involved in
processing data received via RDP static virtual channels. If a user
connects to a malicious or compromised RDP server, a series of
specially-crafted PDUs could result in memory corruption, possibly
allowing arbitrary code to be executed with the privileges of the
running guacd process.
Mitigation:
Users of versions of Apache Guacamole 1.1.0 and older that provide
access to untrusted RDP servers should upgrade to 1.2.0.
Credit:
We would like to thank Eyal Itkin (Check Point Research) for reporting
this issue.
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
