Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2288 Improper input validation of RDP static virtual channels 3 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apache Guacamole Publisher: Apache Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Access Confidential Data -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2020-9497 Original Bulletin: https://www.mail-archive.com/announce@apache.org/msg05965.html - --------------------------BEGIN INCLUDED TEXT-------------------- CVE-2020-9497: Improper input validation of RDP static virtual channels Versions affected: Apache Guacamole 1.1.0 and earlier Description: Apache Guacamole 1.1.0 and older do not properly validate data received from RDP servers via static virtual channels. If a user connects to a malicious or compromised RDP server, specially-crafted PDUs could result in disclosure of information within the memory of the guacd process handling the connection. Mitigation: Users of versions of Apache Guacamole 1.1.0 and older that provide access to untrusted RDP servers should upgrade to 1.2.0. Credit: We would like to thank the GitHub Security Lab and Eyal Itkin (Check Point Research) for reporting this issue. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXv6j0eNLKJtyKPYoAQgqUQ//RXeIftWCWOcONbS3GTuOw2FBexcExBZu hv5vcRUos5aXM62hcBjwY7PxZy9CgV4//2XNLPbxMIenvQD9VX5fvDmZDP3t1Aac XzBzQjR8kJtoOSroasdFvHjf3ZzIpV7yfh6nnh/Kua+rzYfwaAJ0ucKs5aZ65rlh XkduwHcbM0MEFfLbdMKl8mwdAmfs1pS9qrffvZliQb6hV4ZGPRmzD0YjMrKihzZp YSVVJ4Hicwgr52vzaUTlH8Uy/BSDkcxZ9aAit8wtFBpu+M+M7reaPnj4FZkZ52iP Mzwq3v3EtdfZySpTWeSvFwrsRbvsfoUe9OPSNlwDWx6a7le/4mC425Ajq6mVF64Y GMKK3nLoRvk29J1t75nNeYnzR5IQQljAr47iLq5l5P4VtK0zSSMl6uxx+o0UhgMz FmZ4qJty0Kz8H0oGSFwExUO0rjg/UJn0wZpGJG6V2D4mRO4yyzuazt+6BUK9R9hn c/nrBobQg3E3e6RJKkZuO+aOtZHRdrVK/H7N+S9OuuDK1+0PaQ1r6q/ZID2ZJ13U Vex5PQok5prH74NWwAcorV+I0xXt1Bz0pGaYYqAUc2dlKB/+NPSPnfCaaN7X3pTq dhOWgetdRpfgIIhx3xFEi+ypw1ATZLSVW4nKor+ImkPXl5d9NwVr7BK7FrUnXXC8 t++fFvMmXQg= =q9Ps -----END PGP SIGNATURE-----