Operating System:

[Virtual]

Published:

23 September 2020

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2020.3253 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3253
          VMSA-2020-0021 - Horizon DaaS update addresses a broken
               authentication vulnerability (CVE-2020-3977)
                             23 September 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VMWare Horizon DaaS
Publisher:         VMWare
Operating System:  Virtualisation
Impact/Access:     Unauthorised Access -- Existing Account
                   Reduced Security    -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-3977  

Original Bulletin: 
   https://www.vmware.com/security/advisories/VMSA-2020-0021.html

- --------------------------BEGIN INCLUDED TEXT--------------------

Advisory ID: VMSA-2020-0021
CVSSv3 Range: 6.3
Issue Date: 2020-09-22
Updated On: 2020-09-22 (Initial Advisory)
CVE(s): CVE-2020-3977
Synopsis: Horizon DaaS update addresses a broken authentication vulnerability
(CVE-2020-3977)

1. Impacted Products

  o VMware Horizon DaaS (Horizon DaaS)

2. Introduction

A broken authentication vulnerability affecting VMware Horizon DaaS was
privately reported to VMware. Updates are available to address this
vulnerability in affected VMware product.

3. Advisory Details

Description

Horizon DaaS contains a broken authentication vulnerability due to a flaw in
the way it handled the first factor authentication. VMware has evaluated the
severity of this issue to be in the Moderate severity range with a maximum
CVSSv3 base score of 6.3.

Known Attack Vectors

Successful exploitation of this issue may allow an attacker to bypass
two-factor authentication process.

Note: In order to exploit this issue, an attacker must have a legitimate
account on Horizon DaaS.

Resolution

To remediate CVE-2020-3977 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' below.

Workarounds

None.

Additional Documentation

None.

Notes

In order to exploit this issue, an attacker must have a legitimate account on
Horizon DaaS.   

Acknowledgements

VMware would like to thank David Roccasalva of Privasec for reporting this
issue to us.

Response Matrix

Product Version Running CVE           CVSSv3 Severity Fixed    Workarounds Additional
                On      Identifier                    Version              Documentation
Horizon 9.x     Any     CVE-2020-3977 N/A    N/A      not      N/A         N/A
DaaS                                                  affected
Horizon 7.x,                                          8.0.1
DaaS    8.x     Any     CVE-2020-3977 6.3    moderate Update   None        None
                                                      1**

**This update applies to 8.0.1 only. Please see the download link for more
information.

4. References

Fixed Version(s) and Release Notes:


Horizon DaaS 8.0.1 Update 1

Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?downloadGroup=
HORIZON_DAAS_801&productId=743&rPId=36148
https://docs.vmware.com/en/VMware-Horizon-DaaS/services/rn/
Horizon-DaaS-801-Release-Notes.html#rollup

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3977

FIRST CVSSv3 Calculator:
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/
I:L/A:L

5. Change Log

2020-09-22 VMSA-2020-0021
Initial security advisory.

6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX2reG+NLKJtyKPYoAQh/Qw//YOEvz8BVjFxnMo7Uk4M5vei16wIezKeO
IdRVAtUKU4Kpq2ticdlT61+s0UXmhqdpdsL0LRoymg3R4c6AtVAZhnuHQ1x682Hf
lfm5tElXznsNj3uZd2cwyJRKnyAgn+bDaArEMALe7c9Zw8uiVaAHPv5vI5DFNfia
xyBtgsEHxUXktlyc0mcwxqajlN/pINfTxD8Vrq99yIjcOs5FCouAezESLYjUzemA
pz/KV8piE3LU5zqQIphgP6GKEvxbC4sUVgj7YISSTtCUnYhNJSwPw0SF2iwQqT4U
y9kq0buF3UIlXNUXiYq5Y0UhyFkVVXoHsmhh2NbU5hLNHJXniG+oZ97v7dmhxfTD
BRo8crs4rKO4L10Nyez6vl09TYFauWOvFl2ojJaxTG7IrzSmPpxfXBJIBiYTeSAz
wnRyh3ta6mdiRCXhS1R0x19PDfxvJX8j0i+CaHBbUaID55GDhGfbzuAkjWYvFOVj
Yv/Oam1TtQnZxOYN9xhLoZVakP0KQKjHcP2xeohO+AJ3o81zGN/6xSLQgp8zj9qe
1F3hIt0T5yJUX5/IryZEaQ9sgUNOOJFyUK84XZCogQFwp2V3UBbirLFtqm8JpI77
Vq6aTa/BkecZegXPQgs9VHwAeYhhhZly0auQL65Z4f0Z5CqNAZTfcHPAR0otGBVM
ST1tlUEsMC4=
=wq27
-----END PGP SIGNATURE-----