[jira] [Commented] (GUACAMOLE-1283) Legacy RDP encryption may fail with "ERRINFO_DECRYPT_FAILED"

Mike Jumper (Jira) Thu, 01 Apr 2021 17:41:04 -0700


    [ 
https://issues.apache.org/jira/browse/GUACAMOLE-1283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17313486#comment-17313486
 ]


Mike Jumper commented on GUACAMOLE-1283:
----------------------------------------

I've been looking into this and found the following FreeRDP issue:

https://github.com/FreeRDP/FreeRDP/issues/6156 ("Possible race in 
security_encrypt")

The nature of the issue is that legacy RDP encryption uses a key that rotates 
every 4096 packets, but a lack of synchronization around the parts of the 
library that might update that key can result in data being sent with the wrong 
key, causing connection failures.

Based on commit history and [the corresponding pull 
request|https://github.com/FreeRDP/FreeRDP/pull/6242], this was expected to be 
resolved with [commit 
d2c653b|https://github.com/FreeRDP/FreeRDP/commit/d2c653baf3b8eb2f737adc9f71ac0267418657a2],
 which is present from FreeRDP 2.1.2 onward.

BUT, I can confirm this behavior when connecting with RDP and with audio input 
enabled, even with a FreeRDP version later than 2.1.2. Adding locking around 
absolutely every place in Guacamole's RDP support that might result in FreeRDP 
sending further data over the network, the problem disappears, so it looks like 
additional locking is needed within FreeRDP if the intent is that the library 
is threadsafe.

Ideally, this should be fixed in the library, but the guaranteed solution is to 
add locking independently of FreeRDP. Given that most people will be using 
older versions of FreeRDP 2.x, I think this is something we need to work 
around, even if it will one day be fixed upstream.

> Legacy RDP encryption may fail with "ERRINFO_DECRYPT_FAILED"
> ------------------------------------------------------------
>
>                 Key: GUACAMOLE-1283
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1283
>             Project: Guacamole
>          Issue Type: Bug
>          Components: RDP
>    Affects Versions: 1.2.0
>         Environment: guacd 1.2 running in Docker on RHEL 7 deployed in AWS
>            Reporter: Shaun Tarves
>            Assignee: Mike Jumper
>            Priority: Minor
>         Attachments: RemoteDesktop.txt, TerminalServices.txt
>
>
> We are experiencing semi-regular disconnects of the guacamole-server (guacd) 
> while a user is interacting with a remote machine. Attached are the 
> DEBUG-level logs, which we see every time we experience the disconnects. I'm 
> not sure how to further debug this issue.
> {code}
> Feb  8 14:46:21 ip-172-16-10-253 journal: guacd[148]: DEBUG:#011Clipboard 
> data received. Reporting availability of clipboard data to RDP server.
> Feb  8 14:46:24 ip-172-16-10-253 journal: guacd[84]: DEBUG:#011Clipboard data 
> received. Reporting availability of clipboard data to RDP server.
> Feb  8 14:46:41 ip-172-16-10-253 journal: guacd[148]: DEBUG:#011Clipboard 
> data received. Reporting availability of clipboard data to RDP server.
> Feb  8 14:47:13 ip-172-16-10-253 journal: guacd[148]: DEBUG:#011Clipboard 
> data received. Reporting availability of clipboard data to RDP server.
> Feb  8 14:47:22 ip-172-16-10-253 journal: guacd[148]: DEBUG:#011Clipboard 
> data received. Reporting availability of clipboard data to RDP server.
> Feb  8 14:47:22 ip-172-16-10-253 journal: guacd[148]: 
> DEBUG:#011ERRINFO_DECRYPT_FAILED (0x00001192):(a) Decryption using Standard 
> RDP Security mechanisms (section 5.3.6) failed.
> Feb  8 14:47:22 ip-172-16-10-253 journal: (b) Session key creation using 
> Standard RDP Security mechanisms (section 5.3.5) failed.
> Feb  8 14:47:22 ip-172-16-10-253 journal: guacd[148]: DEBUG:#011BIO_read 
> returned a system error 104: Connection reset by peer
> Feb  8 14:47:22 ip-172-16-10-253 journal: guacd[148]: ERROR:#011Connection 
> closed.
> Feb  8 14:47:22 ip-172-16-10-253 journal: guacd[148]: DEBUG:#011Unloading 
> device 0 (Remote Access Filesystem)
> Feb  8 14:47:22 ip-172-16-10-253 journal: guacd[148]: DEBUG:#011SVC "rdpdr" 
> disconnected.
> Feb  8 14:47:22 ip-172-16-10-253 journal: guacd[148]: DEBUG:#011SVC "rdpsnd" 
> disconnected.
> Feb  8 14:47:22 ip-172-16-10-253 journal: guacd[148]: INFO:#011Internal RDP 
> client disconnected
> Feb  8 14:47:22 ip-172-16-10-253 journal: guacd[148]: INFO:#011User 
> "@5dd34373-1e17-4091-9670-c00fc2d68684" disconnected (0 users remain)
> Feb  8 14:47:22 ip-172-16-10-253 journal: guacd[148]: INFO:#011Last user of 
> connection "$60bea827-60a1-403b-84b8-3c7358f490ee" disconnected
> Feb  8 14:47:22 ip-172-16-10-253 journal: guacd[148]: DEBUG:#011Requesting 
> termination of client...
> Feb  8 14:47:22 ip-172-16-10-253 journal: guacd[148]: DEBUG:#011Client 
> terminated successfully.
> Feb  8 14:47:22 ip-172-16-10-253 journal: guacd[8]: INFO:#011Connection 
> "$60bea827-60a1-403b-84b8-3c7358f490ee" removed.
> {code}
> Attached are the MS Event Logs for the `RemoteDesktop*` and 
> `TerminalServices*` log sources



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (GUACAMOLE-1283) Legacy RDP encryption may fail with "ERRINFO_DECRYPT_FAILED"

Reply via email to