Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections
Hello, Le 11/01/2022 à 22:21, Mike Jumper - mjum...@apache.org a écrit : Severity: moderate When running Apache Guacamole 1.3.0, is the only way of addressing CVE-2021-41767 to update to v1.4.0 or is there a security patch incoming for one (or more lower) version(s) of Guacamole? Thank you, Toine - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: RDP: Issue with security-mode nego & NLA
Hi Guacamolers, Well, then I'm gonna phrase my question differently: is a Connection **security-mode** = **any** supposed to work with NLA as well? Looking forward to an answer! :] Antoine -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/ - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: RDP: Issue with security-mode nego & NLA
Oops, nabble stripped my raw additional debug elements. Here they are: === Debug elements: With Guacamole (with security-mode = ANY): **KO** guacd[914075]: Creating new client for protocol "rdp" guacd[914075]: Connection ID is "$b5fc03e4-69f3-44ec-94c4-21c3b48c9488" guacd[1471025]: Security mode: Negotiate (ANY) guacd[1471025]: Resize method: none guacd[1471025]: User "@e9601e9e-14a4-4d0d-a6f2-caeeae0b0b40" joined connection "$b5fc03e4-69f3-44ec-94c4-21c3b48c9488" (1 users now present) guacd[1471025]: Loading keymap "base" guacd[1471025]: Loading keymap "en-us-qwerty" tomcat9[910483]: 12:55:56.712 [http-nio-8081-exec-4] DEBUG o.a.g.net.InetGuacamoleSocket - Connecting to guacd at localhost:4822. guacd[1471025]: RDP server closed/refused connection: Server refused connection (wrong security type?) guacd[1471025]: User "@e9601e9e-14a4-4d0d-a6f2-caeeae0b0b40" disconnected (0 users remain) guacd[1471025]: Last user of connection "$b5fc03e4-69f3-44ec-94c4-21c3b48c9488" disconnected tomcat9[910483]: 12:55:57.155 [http-nio-8081-exec-9] DEBUG o.a.g.net.InetGuacamoleSocket - Closing socket to guacd. guacd[914075]: Connection "$b5fc03e4-69f3-44ec-94c4-21c3b48c9488" removed. With Guacamole (with security-mode = NLA): **OK** guacd[914075]: Creating new client for protocol "rdp" guacd[914075]: Connection ID is "$76cdb95c-04fd-4c6c-a342-191c10bdbb18" guacd[1471241]: Security mode: NLA guacd[1471241]: Resize method: none guacd[1471241]: User "@065794a5-0d77-4395-a200-70b41cf8032d" joined connection "$76cdb95c-04fd-4c6c-a342-191c10bdbb18" (1 users now present) guacd[1471241]: Loading keymap "base" guacd[1471241]: Loading keymap "en-us-qwerty" tomcat9[910483]: 12:56:34.421 [http-nio-8081-exec-8] DEBUG o.a.g.net.InetGuacamoleSocket - Connecting to guacd at localhost:4822. guacd[1471163]: Client did not terminate in a timely manner. Forcibly terminating client and any child processes. guacd[914075]: Connection "$4a4f9fb3-a8cf-4caf-9adc-63ce77fc0f97" removed. guacd[1471241]: Connected to RDPDR 1.13 as client 0x0003 guacd[1471241]: Connected to RDPDR 1.13 as client 0x0002 guacd[1471241]: RDPDR user logged on == With xfreerdp, with negociation: **OK** $ xfreerdp /v:A.B.C.D /u:Administrator /cert:ignore Password: [...] With xfreerdp, with NLA forced: **OK as well** $ xfreerdp /v:A.B.C.D /u:Administrator /cert:ignore /sec:nla Password: [...] With xfreerdp, with NLA disabled: **KO**, but that's expected, since the remote host is configured to only allow NLA connections $ xfreerdp /v:A.B.C.D /u:Administrator /cert:ignore -sec-nla [19655:19656] [WARN][com.freerdp.core.nego] - Error: HYBRID_REQUIRED_BY_SERVER [19655:19656] [INFO][com.freerdp.core] - freerdp_tcp_is_hostname_resolvable:freerdp_set_last_error_ex resetting error state [19655:19656] [INFO][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex resetting error state [19655:19656] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 104: Connection reset by peer [19655:19656] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D] [19655:19656] [ERROR][com.freerdp.core] - freerdp_post_connect failed -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/ - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
RDP: Issue with security-mode nego & NLA
Hello Guac users! I encounter an issue and here's the symptom: Guacamole connection security mode negotiation doesn't seem be able to "choose" NLA mode. Context: I'm trying to make my Guacamole 1.3 stack connect to a Windows 2016 target, using RDP. The remote server is configured to only accept NLA connections. If my Guacamole connection "Security mode" param is on "Any", the webUI shows a failure dialog that says: "[Connection Error] The remote desktop server is currently unreachable. If the problem persists, please notify your system administrator, or check your system logs." If I set this param to "NLA", it works smoothly and I can see the new NLA RDP dialog that appeared in Guacamole 1.3! (thanks for that, by the way!) Is this a bug that only affects me? Thanks, Antoine -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/ - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org