-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3679
              VMSA-0020-0024 - VMWare Horizon vulnerabilities
                              26 October 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VMware Horizon Server
                   VMware Horizon Client for Windows
Publisher:         VMWare
Operating System:  VMware ESX Server
                   Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Cross-site Scripting     -- Remote with User Interaction
                   Access Confidential Data -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-3998 CVE-2020-3997 

Original Bulletin: 
   https://www.vmware.com/security/advisories/VMSA-2020-0024.html

- --------------------------BEGIN INCLUDED TEXT--------------------

Advisory ID: VMSA-0020-0024

CVSSv3 Range: 3.3 - 4.1

Issue Date: 2020-10-22
Updated On: 2020-10-22 (Initial Advisory)

CVE(s): CVE-2020-3997, CVE-2020-3998

Synopsis:
VMware Horizon Server and VMware Horizon Client updates address multiple
security vulnerabilities (CVE-2020-3997, CVE-2020-3998)

1. Impacted Products
VMware Horizon Server
VMware Horizon Client for Windows

2. Introduction
Multiple vulnerabilities in VMware Horizon Server and Horizon Client for
Windows were privately reported to VMware. Updates are available to remediate
these vulnerabilities in affected VMware products.

3a. VMware Horizon Server Cross Site Scripting (XSS) vulnerability (CVE-2020-3997)
Description

VMware Horizon Server does not correctly validate user input. VMware has 
evaluated the severity of this issue to be in the Moderate severity range with
a maximum CVSSv3 base score of 4.1.

Known Attack Vectors
Successful exploitation of this issue may allow an attacker to inject malicious
script which will be executed.

Resolution
To remediate CVE-2020-3997 apply the patches listed in the 'Fixed Version' 
column of the 'Response Matrix' below.

Workarounds
None.

Additional Documentation
None.

Notes
None.

Acknowledgements
None.


Response Matrix

Product: Horizon Server
Version: 7.x
Running On: Any
CVE Identifier: CVE-2020-3997
CVSSv3: 4.1
Severity: Moderate
Fixed Version: 7.10.3 or 7.13.0
Workarounds: None
Additional Documentation: None

Product: Horizon Server
Version: 8.x
Running On: N/A
CVE Identifier: N/A
CVSSv3: N/A
Severity: N/A
Fixed Version: Unaffected
Workarounds: N/A
Additional Documentation: N/A


3b. VMware Horizon Client for Windows information disclosure vulnerability
(CVE-2020-3998)

Description

VMware Horizon Server does not correctly validate user input. VMware has
evaluated the severity of this issue to be in the Low severity range with a
maximum CVSSv3 base score of 3.3.

Known Attack Vectors
A malicious attacker with local privileges on the machine where Horizon Client
for Windows is installed may be able to retrieve hashed credentials if the 
client crashes.

Resolution

To remediate CVE-2020-3998 apply the patches listed in the 'Fixed Version' 
column of the 'Response Matrix' below.

Workarounds
None.

Additional Documentation
None.

Notes
None.

Acknowledgements
VMware would like to thank Yann Souchon and Quentin for reporting this issue 
to us.

Response Matrix

Product: Horizon Client for Windows
Version: 5.x and prior
Running On: Windows
CVE Identifier: CVE-2020-3998
CVSSv3: 3.3
Severity: Low
Fixed Version: 5.5.0
Workarounds: None
Additional Documentation: None


4. References
Fixed Version(s) and Release Notes:

Horizon Server
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/info/slug/desktop_end_user_computing/vmware_horizon/7_10
https://docs.vmware.com/en/VMware-Horizon-7/index.html

Horizon Client for Windows 5.5.0
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=CART21FQ3_WIN_550&productId=863&rPId=53321
https://docs.vmware.com/en/VMware-Horizon-Client/index.html

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3997
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3998 

FIRST CVSSv3 Calculator:

CVE-2020-3997 
- - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

CVE-2020-3998 
- - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N


5. Change Log
2020-10-22 VMSA-2020-0024
Initial security advisory.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX5YureNLKJtyKPYoAQiqZw/8CAKY7JSyR0UtgdccN7s0yisEK+pFnR9Y
9fkeYdeMeZxFNGYwaj8s3Fqzw7TbVhqzzfe7H6bp906TzdBrF8+ZcsD7FxeMHEHE
Kk4vDq/rS8MuirVHeixtepUzRoZu0MfAWwCW9kO0X33b+gtoyZJkdnVygD6FZH2s
8bk412onV+56LmLCteK802fsRXO880nPad6yo/3tpNndF4APcBu0fpDQDmDuePgJ
2OlnxYvqE72F+HW1LHntwRb85xIosY29OxG8YjnQgjHY2icAZc+y+FhD3MoiZijr
74XJSyz91fymdfOORA9Xu03ACmHk6DpxTcmDooWR/H+Au/kdtJChdyrVGfng+RhX
LNZjuyRNGgxXbUC0YT9O0rcRJfRxShvN5dmPrQ2I+GCSZWQfqlkooDO3KPestPbX
8jC+6G4KU1O6OTtvH1p1OjtIIcfZx5PuE+HSy43W92C2AWbVeSg4doVYX8AJJl4I
I4/PQtdX0ovd6GG1RYp0WO5MyjmOQniVp6OnolcwstQUjUQGxjTinAxj2UJmcuN/
W1pNtHedLHqu6nBhI5B7m4OeEqikII+MEGKAzQ0e0PRsfvGnHKBuqOIo56Sno12O
H3tlTJT54C1K5Gu4KBr//yRpkgXV2vrKYvqs0MB7M2HYnAbZU/t/moYS1BFDGR0J
30xSr0tucCw=
=/wat
-----END PGP SIGNATURE-----