CVE-2024-35164
📋 TL;DR
This vulnerability in Apache Guacamole allows authenticated attackers with access to text-based connections (like SSH) to execute arbitrary code on the server by sending malicious console codes. It affects all users running Guacamole 1.5.5 or older. The code executes with the privileges of the guacd process, which typically runs with elevated permissions.
💻 Affected Systems
- Apache Guacamole
📦 What is this software?
Guacamole by Apache
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the Guacamole server with attacker gaining the same privileges as the guacd process, potentially leading to lateral movement within the network, data exfiltration, or complete system takeover.
Likely Case
Authenticated attackers with access to SSH or other text-based connections could execute arbitrary commands on the server, potentially compromising sensitive data or using the server as a pivot point for further attacks.
If Mitigated
With proper network segmentation and least-privilege configurations, impact could be limited to the Guacamole server itself without allowing lateral movement to other systems.
🎯 Exploit Status
Exploitation requires authenticated access to a text-based connection. Attackers need to craft specific console code sequences to trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.0
Vendor Advisory: https://lists.apache.org/thread/sgs8lplbkrpvd3hrvcnnxh3028h4py70
Restart Required: Yes
Instructions:
1. Download Apache Guacamole 1.6.0 from the official website. 2. Stop the guacd service. 3. Backup your current configuration. 4. Install version 1.6.0 following the official installation guide. 5. Restart the guacd service. 6. Verify the upgrade was successful.
🔧 Temporary Workarounds
Restrict text-based protocol access
allLimit or disable SSH and other text-based protocol connections through Guacamole
# Edit guacamole.properties to restrict protocols
# Remove or comment out SSH protocol configurations
Network segmentation
linuxIsolate Guacamole servers from sensitive systems and implement strict firewall rules
# Example iptables rule to restrict outbound connections
iptables -A OUTPUT -m owner --uid-owner guacd -j DROP
🧯 If You Can't Patch
- Implement strict access controls to limit who can use text-based connections through Guacamole
- Monitor guacd process activity and network connections for suspicious behavior
🔍 How to Verify
Check if Vulnerable:
Check the Guacamole version. If it's 1.5.5 or older, the system is vulnerable.Check Version:
guacd --versionVerify Fix Applied:
Verify the installed version is 1.6.0 or newer and test that text-based connections still function properly.📡 Detection & Monitoring
Log Indicators:
- Unusual console code sequences in connection logs
- Multiple failed connection attempts followed by successful ones
- Unexpected process spawns from guacd
Network Indicators:
- Unusual outbound connections from the Guacamole server
- Suspicious payloads in SSH/Telnet traffic
SIEM Query:
source="guacamole.log" AND ("console code" OR "malformed sequence" OR "unexpected termination")