VMware has released a new security advisory: VMSA-2018-0010: Horizon DaaS update addresses a broken authentication issue.
This advisory documents the remediation of one moderate issue: Horizon DaaS contains a broken authentication vulnerability that may allow an attacker to bypass two-factor authentication.
To be able to exploit this vulnerability, a potential attacker must have a legitimate account on Horizon DaaS.
The Common Vulnerabilities and Exposures project has assigned the identifier CVE-2018-6960 to this issue.
All 7.x versions of Horizon DaaS are affected by this vulnerability. VMware recommends update to version 8.0.0.
What’s New in Horizon DaaS 8.0.0
You can tell this is a major release, VMware announced plenty of new features:
- new capacity-based licensing model
- new report: concurrent user license
- instant clone integration
- DaaS and Horizon agents updates
- file shares for importing data
- automatic agent pairing
- new demo-administrator role
- beta helpdesk console
- online/offline modes for assignments
- restart options for VMs
- enhanced import / export functionality
- direct admin connection to VMs
- support for Windows Server 2016
- smart policies integration
If you need more details on Horizon DaaS 8.0.0, please check the release notes.
You can also check reports on other VMware vulnerabilities in my page dedicated to Security Advisories.
