A vulnerability was found in VMware Horizon DaaS up to 7.x/8.0.1. It has been declared as critical. This vulnerability affects an unknown function of the component Two-factor Authentication.
So you’ve started to use or test Duo Security’s MFA/2FA technology on your network. You’ve been happy so far and you now want to begin testing or rolling out DUO MFA on your VMware Horizon View server.
VMware Horizon is great at providing an end user computing solution for your business, a byproduct of which is an amazing remote access system. With any type of access, especially remote, comes numerous security challenges. DUO Security’s MFA solution is great at provided multi-factor authentication for your environment, and fully supports VMware Horizon View.
The manipulation with an unknown input leads to a weak authentication vulnerability. The CWE definition for the vulnerability is CWE-287 . As an impact it is known to affect confidentiality, integrity, and availability.
The weakness was presented 09/22/2020. The advisory is shared for download at vmware.com . This vulnerability was named CVE-2020-3977 since 12/30/2019.
The successful exploitation requires a single authentication. There are neither technical details nor an exploit publicly available.
Applying the patch 8.0.1 Update 1 is able to eliminate this problem.