CVE-2024-35164 is a vulnerability identified in Apache Guacamole, an open-source clientless remote desktop gateway widely used for accessing remote systems via protocols like SSH, RDP, and VNC. The flaw resides in the terminal emulator component of Guacamole versions 1.5.5 and earlier, where improper validation of array indexes (CWE-129) occurs when processing console codes received from servers over text-based protocols such as SSH. Specifically, the terminal emulator fails to adequately validate the bounds of array indexes derived from these console codes, allowing a malicious actor with access to the text-based connection to craft a sequence of console codes that can trigger out-of-bounds memory access. This can lead to arbitrary code execution within the context of the guacd daemon process, which handles the remote desktop sessions. The vulnerability requires the attacker to have network access to the text-based protocol session and low privileges but does not require user interaction. The CVSS v3.1 base score is 6.8, reflecting medium severity, with high impact on confidentiality and integrity but no impact on availability. The attack complexity is high, and privileges required are low, with no user interaction needed. No known exploits are currently reported in the wild. Apache has addressed this vulnerability in Guacamole version 1.6.0, which includes proper validation of console codes to prevent out-of-bounds access and code execution. Users of affected versions are strongly recommended to upgrade to mitigate this risk.

This vulnerability poses a significant risk to organizations relying on Apache Guacamole for remote access and terminal emulation. Successful exploitation can lead to arbitrary code execution with the privileges of the guacd process, potentially allowing attackers to compromise the remote access gateway, escalate privileges, and move laterally within the network. The confidentiality and integrity of remote sessions and underlying systems can be severely impacted, risking data breaches and unauthorized system control. Although the attack complexity is high and requires network access to text-based protocols, the lack of need for user interaction increases the threat level in environments where untrusted users have SSH or similar access. Organizations with exposed Guacamole instances may face targeted attacks aiming to leverage this vulnerability to gain persistent footholds. The absence of known exploits in the wild currently limits immediate widespread impact, but the medium severity and potential for code execution warrant prompt remediation to prevent future exploitation.

To mitigate CVE-2024-35164, organizations should immediately upgrade Apache Guacamole to version 1.6.0 or later, where the vulnerability has been fixed. In addition to patching, administrators should restrict network access to Guacamole instances by implementing strict firewall rules and network segmentation to limit exposure of text-based protocol ports such as SSH. Employing multi-factor authentication and strong access controls on Guacamole user accounts can reduce the risk of unauthorized access. Monitoring and logging of Guacamole sessions should be enhanced to detect anomalous or suspicious console code sequences or unexpected process behavior. Where feasible, running the guacd process with the least privileges necessary and within containerized or sandboxed environments can limit the impact of potential exploitation. Regularly reviewing and updating security policies related to remote access infrastructure will further strengthen defenses against similar vulnerabilities.