There is an out of bounds read in Apache Guacamole server’s RDP protocol. The vulnerability exists in the RDP Audio Output Virtual Channel Extension, while trying to parse a PDU of type
WaveInfo which is used to transmit audio data through the channel.
Apache Guacamole Server
Apache Guacamole Server up to commit bbb7949
GHSL-2020-058: Out of band read in WaveInfo PDU handler
The WaveInfo PDU contains a 16-bit unsigned integer that represents an index into the list of audio formats exchanged between the client and server during the initialization phase. This list is maintained as a 16 member array in
struct guac_rdpsnd. The 16-bit integer (
format) is used to index this array without any boundary checks and as a result may trigger an out of bounds read.
The vulnerability is in
/* Read wave information */ Stream_Read_UINT16(input_stream, rdpsnd->server_timestamp); Stream_Read_UINT16(input_stream, format);  Stream_Read_UINT8(input_stream, rdpsnd->waveinfo_block_number); Stream_Seek(input_stream, 3); Stream_Read(input_stream, rdpsnd->initial_wave_data, 4); /* * Size of incoming wave data is equal to the body size field of this * header, less the size of a WaveInfo PDU (not including the header), * thus body_size - 12. */ rdpsnd->incoming_wave_size = header->body_size - 12; /* Read wave in next iteration */ rdpsnd->next_pdu_is_wave = TRUE; /* Reset audio stream if format has changed */ if (audio != NULL) guac_audio_stream_reset(audio, NULL, rdpsnd->formats[format].rate,  rdpsnd->formats[format].channels, rdpsnd->formats[format].bps);
As can be seen in the above code snippet, at 
Stream_Read_UINT16 is used to read a 16-bit integer value from the network into the
format variable and at 
rdpsnd->formats is indexed with this remote controlled integer without ensuring that
format does not index outside of the bounds of the array.
An authenticated user may potentially leak information about the memory contents of the
Coordinated Disclosure Timeline
This report was subject to the GHSL coordinated disclosure policy.
- 04/10/2020: vendor contacted
- 04/10/2020: vendor acknowledges report
- 05/14/2020: vendor confirms CVE-2020-9497 will be fixed in 1.2.0
- 07/01/2020: vendor releases version 1.2.0
This issue was discovered and reported by the GitHub Security Lab.
You can contact the GHSL team at
firstname.lastname@example.org, please include the
GHSL-2020-058 in any communication regarding this issue.