-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
                           VMware Security Advisory

Advisory ID: VMSA-2018-0010
Severity:    Moderate
Synopsis:    Horizon DaaS update addresses a broken authentication
             issue
Issue date:  2018-04-19
Updated on:  2018-04-19 (Initial Advisory)
CVE number:  CVE-2018-6960

1. Summary

   Horizon DaaS update addresses a broken authentication issue

2. Relevant Products

   VMware Horizon DaaS

3. Problem Description

   Broken authentication issue in Horizon DaaS

   Horizon DaaS contains a broken authentication vulnerability that may
   allow an attacker to bypass two-factor authentication.

   Note: In order to exploit this issue, an attacker must have a
   legitimate account on Horizon DaaS.

   VMware would like to thank Peter Ivezaj, President - Digital Upkeep
   for reporting this issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2018-6960 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware        Product  Running           Replace with/  Mitigations/

   Product       Version  on      Severity  Apply patch    Workarounds
   ============  =======  ======  ========  =============  ==========
   Horizon DaaS   7.x      All    Moderate    8.0.0          None




4. Solution

   Please review the patch/release notes for your product and version and
   verify the checksum of your downloaded file.

   VMware Horizon DaaS
   Downloads:
   https://my.vmware.com/group/vmware/info?slug=desktop_end_user_
   computing/vmware_horizon_daas/8_0
   Documentation:
   https://docs.vmware.com/en/VMware-Horizon-DaaS/index.html



5. References

   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6960

- -------------------------------------------------------------------------

6. Change log

   2018-04-19 VMSA-2018-0010 Initial security advisory in conjunction with
   the release of VMware Horizon DaaS 8.0.0 on 2018-04-19.

- -------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

     security-announce@lists.vmware.com
     bugtraq@securityfocus.com
     fulldisclosure@seclists.org

   E-mail: security@vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   VMware Security & Compliance Blog
   https://blogs.vmware.com/security

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2018 VMware Inc.  All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.4.1 (Build 490)
Charset: utf-8

wj8DBQFa2XFQDEcm8Vbi9kMRAjldAJ9r1m4cV09HeeGbSq8JVAHFT4MGMwCg4OTh
DmBnPnDqrpbhXVwQgjeSKb4=
=gam/
-----END PGP SIGNATURE-----