OVA version 1.3.0-1 - guacd is still version 1.2.0

joris.degreef 2021-01-24 00:07:07 UTC #1

Keywords: Apache Guacamole - Virtual Machines - Technical issue - Other
Description:
Tested OVA version 1.3.0-1:

2 things I noticed:

/var/log/syslog shows guacd is still version 1.2.0 (wanted to test NLA without LDAPS SSO)
guacd[xxx]: Guacamole proxy daemon (guacd) version 1.2.0 started

openssl still outdated and vulnerable:

openssl version

OpenSSL 1.1.1d 10 Sep 2019

jcarmona 2021-01-25 11:57:45 UTC #2

Hi @joris.degreef

Thanks for using Bitnami Guacamole and reaching out to us!

guacd[xxx]: Guacamole proxy daemon (guacd) version 1.2.0 started

I was also able to verify this on the latest 1.3.0-1 release, I will let the team know, thanks!

openssl still outdated and vulnerable:

Let's check the installed packages:

$ apt list openssl
openssl/stable,now 1.1.1d-0+deb10u4 amd64 [installed,automatic]

According to https://packages.qa.debian.org/o/openssl.html, this package is not deprecated. Furthermore, version 1.1.1 is LTS until 2023 (https://www.openssl.org/policies/releasestrat.html)

Best regards,
Jose Antonio Carmona

Was my answer helpful? Click on

joris.degreef 2021-01-25 12:54:55 UTC #3

Hi Jose,

Thanks.

Regarding openssl, you are totally right.

I'll check the change log https://metadata.ftp-master.debian.org/changelogs//main/o/openssl/openssl_1.1.1d-0+deb10u4_changelog next time, instead of relying on the version number in Nessus.

jcarmona 2021-01-26 13:00:50 UTC #4

Hi @joris.degreef

Thanks for reporting the issue! We have released a new revision 1.3.0-3 that does ship with the correct version of Guacamole Server:

$ guacd -v
Guacamole proxy daemon (guacd) version 1.3.0

Best regards,
Jose Antonio Carmona

Was my answer helpful? Click on

joris.degreef 2021-01-26 18:19:15 UTC #5

Hi Jose,

Thanks. I noticed this morning as well and already played with it.
Automatic prompting for remote desktop credentials is also showing up now.

But unfortunately, I can't get RDP to work (regardless of automatic prompting).
(SSH works.)
Proxying with a guacd 1.2 works.

It starts fine, you see a mouse pointer in the upper left corner and next "You have been disconnected.".

root@debian:~# tail /opt/bitnami/guacamole-server/logs/guacd.log
guacd[3469]: TRACE:     User confirmation of frame 6664027ms received at 6664067ms (processing_lag=37ms)
guacd[3469]: TRACE:     User confirmation of frame 6664066ms received at 6664111ms (processing_lag=42ms)
guacd[3469]: TRACE:     Server completed frame 6664125ms.
guacd[3469]: TRACE:     Server completed frame 6664148ms.
guacd[3469]: TRACE:     CLIPRDR: Received monitor ready.
guacd[3469]: TRACE:     CLIPRDR: Sending format list
guacd[3469]: TRACE:     Server completed frame 6664169ms.
guacd[3469]: INFO:      Connected to RDPDR 1.13 as client 0x0002
free(): double free detected in tcache 2
guacd[3236]: INFO:      Connection "$386a0033-8e53-43d8-b2a7-f11a8f449c32" removed.

Kind regards,

Joris

joris.degreef 2021-01-26 19:05:24 UTC #6

If the message "free(): double free detected in tcache 2" has something to do with it, it changes with the security mode selected:

NLA: free(): double free detected in tcache 2
Negotiate (ANY): munmap_chunk(): invalid pointer
RDP: double free or corruption (fasttop)

jcarmona 2021-01-27 11:40:51 UTC #7

Hi @joris.degreef

Do you mind opening a new ticket for this? We tend to keep threads single themed, so that users can easily find solutions to similar problems. Our team will be more than happy to assist you in the new thread

Thanks. I noticed this morning as well and already played with it.

As you have verified this is solved in the current version, I will mark this thread as Closed now.

Best regards,
Jose Antonio Carmona

Was my answer helpful? Click on

jcarmona 2021-01-27 11:43:29 UTC #8

Bitnami provides free all-in-one installers, virtual machines and cloud images for popular open source applications. Get them now!