VMware View – PCoIP SSO bug
Last week we discovered a bug in VMware view.
It’s a security breach in the PCoIP protocol that allows any user to override security of locked VMware View desktops.
This only happens when using the PCoIP protocol and happens with the 4 and 4.5 version. We’ve tested this in several environments, at customers and at the office.
So What really happens? Let’s start from the start to make sure you get the full picture.
– A user, user1 logs on to his VMware view desktop using PCoIP.
– He works on several document and is creating a critical financial overview in Excel (notepad in our case).
– He’s late for a meeting and decides to lock his VMware View desktop.
– unfortunately he didn’t save his Excel sheet, but no worries the VMware View environment is HA.
– so he locked his virtual desktop – THIS IS IMPORTANT TO STRESS!!!!
– no one in the office knows his password.
– another user, user2 walks up to the endpoint where user1 just left.
– He notices that a virtual desktop is already active and want to disconnect this session so he can work at this endpoint.
– He moves his mouse to the top of the screen and the VMware view client bar appears.
– At the bottom of the menu he finds “Disconnect and Log Off”.
– Of course disconnect would be enough, but he chooses Disconnect and Log off.
– A confirmation is shown, but what the heck. I’m not entitled to logoff his session in anyway.
– The session of User1 is opened and all documents (saved or not) are closed. AGAIN THIS IS IMPORTANT, ALL WORK IS LOST!
– The session is logged off. (this all happens in seconds)
– If user1 comes back for his meeting and wants to finish his financial Excel sheet he will find it gone, like all of his session.
of course some people will say that user2 had no real access to user1’s session because all documents closed within seconds.
Think about any worst-case scenario where a huge number of stuff is opened and it takes longer to close all, at that time user2 can read everything that’s on screen.
And furthermore what’s the use of a logoff option in the menubar when the session is locked? Shouldn’t you be logged on to be able to logoff you session? Why is the View client not smart enough to see the state of the session?
So here we are, you have good picture of the issue we discovered.
You can even try this with your own View installation and see how unwanted this is.
We’ve created a movie about this, first read the text and then look at the movie, it’ll make it easier to graspe the idea.
Click here to watch the movie.
If you have any question, we’re on Twitter, don’t hesitate to ask anything.