====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN599
_____________________________________________________________________

DATE                : 23/10/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Windows running VMware Horizon Server versions
                                  prior to 7.10.3, 7.13.0,
                        VMware Horizon Client versions prior to 5.5.0.

=====================================================================
https://www.vmware.com/security/advisories/VMSA-2020-0024.html
_____________________________________________________________________


Moderate


Advisory ID:      VMSA-0020-0024
CVSSv3 Range:     3.3 - 4.1
Issue Date:       2020-10-22
Updated On:       2020-10-22 (Initial Advisory)
CVE(s):           CVE-2020-3997, CVE-2020-3998


Synopsis:
VMware Horizon Server and VMware Horizon Client updates address multiple
security vulnerabilities (CVE-2020-3997, CVE-2020-3998)


1. Impacted Products

    VMware Horizon Server
    VMware Horizon Client for Windows


2. Introduction

Multiple vulnerabilities in VMware Horizon Server and Horizon Client for
Windows were privately reported to VMware. Updates are available to
remediate these vulnerabilities in affected VMware products.

3a. VMware Horizon Server Cross Site Scripting (XSS) vulnerability
(CVE-2020-3997)

Description

VMware Horizon Server does not correctly validate user input. VMware has
evaluated the severity of this issue to be in the Moderate severity
range with a maximum CVSSv3 base score of 4.1.

Known Attack Vectors

Successful exploitation of this issue may allow an attacker to inject
malicious script which will be executed.

Resolution

To remediate CVE-2020-3997 apply the patches listed in the 'Fixed
Version' column of the 'Response Matrix' below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

None.


Response Matrix

Product 	Version 	Running On 	CVE Identifier 	CVSSv3 	Severity 	Fixed
Version 	Workarounds 	Additional Documentation

Horizon Server    7.x    Any     CVE-2020-3997     4.1     moderate	
7.10.3 or 7.13.0     None     None

Horizon Server     8.x     N/A     N/A     N/A     N/A     Unaffected
	N/A      N/A


3b. VMware Horizon Client for Windows information disclosure
vulnerability (CVE-2020-3998)

Description

VMware Horizon Server does not correctly validate user input. VMware has
evaluated the severity of this issue to be in the Low severity range
with a maximum CVSSv3 base score of 3.3.

Known Attack Vectors

A malicious attacker with local privileges on the machine where Horizon
Client for Windows is installed may be able to retrieve hashed
credentials if the client crashes.

Resolution

To remediate CVE-2020-3998 apply the patches listed in the 'Fixed
Version' column of the 'Response Matrix' below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank Yann Souchon and Quentin for reporting this
issue to us.

Response Matrix

Product 	Version 	Running On 	CVE Identifier 	CVSSv3 	Severity 	Fixed
Version 	Workarounds 	Additional Documentation

Horizon Client for Windows     5.x and prior     Windows   CVE-2020-3998
	3.3     low      5.5.0     None     None


4. References

Fixed Version(s) and Release Notes:


Horizon Server

Downloads and Documentation:

https://my.vmware.com/en/web/vmware/downloads/info/slug/desktop_end_user_computing/vmware_horizon/7_10

https://docs.vmware.com/en/VMware-Horizon-7/index.html


Horizon Client for Windows 5.5.0
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=CART21FQ3_WIN_550&productId=863&rPId=53321
https://docs.vmware.com/en/VMware-Horizon-Client/index.html


Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3997
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3998



FIRST CVSSv3 Calculator:

CVE-2020-3997 -
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

CVE-2020-3998 -
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N


5. Change Log

2020-10-22 VMSA-2020-0024
Initial security advisory.


6. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce



This Security Advisory is posted to the following lists:

security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org



E-mail: security@vmware.com

PGP key at:
https://kb.vmware.com/kb/1055



VMware Security Advisories
https://www.vmware.com/security/advisories


VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html


VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html


VMware Security & Compliance Blog
https://blogs.vmware.com/security


Twitter
https://twitter.com/VMwareSRC



Copyright 2020 VMware Inc. All rights reserved.


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================