Two attack vectors in this highly-popular software could lead to massive breaches and network takeovers if not fixed in time.
In many companies, the daily routine for office workers involves logging-in to the corporate network on the company computer. Once in a while, a worker may need special offsite access and will connect to the company’s network remotely, using one of several available tools.
However, that routine may soon under review due to security flaws detected in one of the world’s most popular IT infrastructures for remote work.
Security flaws in remote IT
Researchers from Check Point had found vulnerabilities that allowed threat actors to eavesdrop on remote access sessions, record credentials used, and control computers within the organization. In particular:
- vulnerabilities were found in Apache Guacamole, a free and open sourced software with over 10 million downloads
- two attack vectors were applicable in what researchers said can lead to “full control over the entire organizational network”
- the security flaws were disclosed and are now fixed. However, researchers urge organizations everywhere to update their corporate servers now
Guacamole or whack-a-mole?
Apache Guacamole, one of the world’s most popular IT infrastructures for remote work, enables remote workers to access their company’s computer network from anywhere, by using only a web browser. Apache Guacamole runs on many devices, including mobile phones and tablets, giving remote workers “constant, world-wide, unfettered access to your computers”, according to the software’s creators. However, the recent vulnerability has reduced the credibility of the software.
Eyal Itkin, a ‘Vulnerability Researcher’ at Check Point, demonstrated that a threat actor with access to a computer inside an organization could execute a Reverse RDP attack, in which a remote PC infected with certain malware takes over a client that tries to connect to it. In this case, the Reverse RDP attack would enable a threat actor to take control of the Apache Guacamole gateway that handles all of the remote sessions in a network.
Once in control of the gateway, an attacker could eavesdrop on all incoming sessions, record all the credentials used, and even control other sessions within the organization. Check Point researchers said this foothold is equivalent to gaining full control over the entire organizational network.
Vulnerability Research team leader Omri Herscovici added: “This research demonstrates how a quick change in the social landscape directly affects what attackers might focus their efforts on. In this case, it’s remote work. The fact that more and more companies have externalized many internally-used services to the outside world opens a number of new potential attack surfaces for threat actors. I strongly urge organizations to keep their servers up-to-date to protect their remote workforces.”