CVE-2018-6960 in Horizon DaaS
Summary
by MITRE
VMware Horizon DaaS (7.x before 8.0.0) contains a broken authentication vulnerability that may allow an attacker to bypass two-factor authentication. Note: In order to exploit this issue, an attacker must have a legitimate account on Horizon DaaS.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/03/2023
The vulnerability identified as CVE-2018-6960 affects VMware Horizon DaaS version 7.x prior to 8.0.0, representing a critical broken authentication flaw that undermines the security posture of the platform. This weakness specifically targets the two-factor authentication mechanism, creating a potential pathway for unauthorized access that could compromise the integrity of user sessions and sensitive data within the virtual desktop infrastructure. The vulnerability is particularly concerning because it requires only a legitimate account to exploit, meaning that an attacker who has already gained initial access to a user account can bypass additional security layers that should normally protect against unauthorized access attempts.
The technical flaw manifests in the authentication process where the system fails to properly validate or enforce two-factor authentication requirements during the login sequence. This creates a scenario where an attacker with valid credentials can potentially circumvent the second authentication factor, effectively neutralizing the security benefits of multi-factor authentication. The vulnerability stems from improper implementation of authentication controls that should have enforced mandatory second-factor validation before granting full system access. According to CWE classification, this represents a weakness in authentication mechanisms, specifically categorized under CWE-287 which deals with improper authentication vulnerabilities, and more specifically CWE-308 which addresses the use of a predictable source of randomness in authentication protocols.
The operational impact of this vulnerability extends beyond simple unauthorized access, potentially enabling attackers to escalate privileges within the Horizon DaaS environment and access sensitive virtual desktop sessions. An attacker who successfully exploits this vulnerability could gain access to user desktop environments, potentially leading to data exfiltration, privilege escalation, and further lateral movement within the network infrastructure. The implications are particularly severe in enterprise environments where Horizon DaaS is used to provide secure remote access to corporate resources, as this vulnerability undermines the fundamental security model that organizations rely upon to protect their virtual desktop infrastructure. The attack vector is considered relatively low complexity since it only requires a legitimate account, making it accessible to both internal and external threat actors who have obtained valid user credentials through various means such as phishing, credential stuffing, or other initial compromise techniques.
From a threat modeling perspective, this vulnerability aligns with ATT&CK technique T1078 which covers valid accounts and T1531 which addresses credential access through compromised accounts. Organizations utilizing VMware Horizon DaaS should implement immediate mitigations including updating to version 8.0.0 or later, implementing additional access controls, and monitoring for suspicious authentication patterns. The recommended remediation involves not only applying the vendor-provided security patch but also strengthening overall authentication policies, implementing more robust session management controls, and ensuring that all user accounts are properly monitored for unusual access patterns. Additionally, organizations should conduct comprehensive security assessments of their virtual desktop environments to identify other potential authentication weaknesses that could be exploited in conjunction with this vulnerability.