Apache Guacamole 1.1.0 and older: Remote Code Execution via RDP Static Virtual Channels

Apache Guacamole 1.1.0 and older: Remote Code Execution via RDP Static Virtual Channels

CVE-2020-9498 · MEDIUM Severity

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed with the privileges of therunning guacd process.

Learn more about our Cis Benchmark Audit For Server Software.