VMware Horizon Community
dra60n
Enthusiast
Enthusiast

CVE-2016-2107 vulnerability - Horizon 6.2

Hello,

We have recently ran some security scans against our View Security Servers (we use Horizon 6.2 in our infrastructure) and it turned out that they are vulnerable to CVE-2016-2107.

According to VMware: "OpenSSL 1.0.2 through 1.0.2e contain the vulnerability CVE-2016-0701.... Horizon 6, versions 6.2, 6.2.1 and 6.2.2 include a version of OpenSSL 1.0.2 that is vulnerable, but disable DHE cipher suites by default. These releases will be exposed to this vulnerability if DHE cipher suites are re-enabled."

How can I check if DHE cipher suites have been re-enabled on Security Servers? How do I disable DHE ciphers?

Thanks

0 Kudos
9 Replies
Kishoreg5674
Enthusiast
Enthusiast

CVE-2016-2107 is hard to exploit and it is affected only if connection uses AES CBC cipher and the server supports AES-NI. But it has high impact, potentially allowing a MITM to decrypt all traffic on this channel. Depending on the clients you are using, you may be able to mitigate the issue by using TLSv1.2 and GCM-based cipher suites exclusively. See https://docs.vmware.com/en/VMware-Horizon-6/6.2/com.vmware.horizon-view.security.doc/GUID-37F50EEE-0... for port 8443 configuration details.

0 Kudos
dra60n
Enthusiast
Enthusiast

Thank you for your response. The KB you have linked describes how to configure cipher suits on Connection Servers, Do you know how to do it on Security Servers?

0 Kudos
BenFB
Virtuoso
Virtuoso

You can restrict the protocols and ciphers in use to mitigate this.

Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Securi...

Do you have a plan to move off of Horizon 6.x? It goes end of general support on 2019-06-19.

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/support/product-lifecycle-matrix.p...

0 Kudos
dra60n
Enthusiast
Enthusiast

Yes, we're planning on upgrading Horizon View at some point this year but unfortunately need to mitigate security vulnerabilities first without upgrading View.

0 Kudos
dra60n
Enthusiast
Enthusiast

Would you be able to specify what cipher suit(s) I should disable to mitigate this particular vulnerability?

0 Kudos
BenFB
Virtuoso
Virtuoso

Upgrading to 7.x will mitigate against this vulnerability and others. After 2019/06/19 you will be limited to critical updates and email support only.

0 Kudos
dra60n
Enthusiast
Enthusiast

I'm aware of that. Unfortunately there is no chance we can upgrade Horizon before the security audit that is going to happen at the end of May.

This is why I'm looking for a workaround.

0 Kudos
dra60n
Enthusiast
Enthusiast

Can someone confirm please that changing Global Acceptance and Proposal Policies will mitigate the vulnerability? Do changes to these policies affect security servers too?

0 Kudos
BenFB
Virtuoso
Virtuoso

I would recommend opening an SR while you still have access to support for 6.x to get their insight.

What is the hold up on upgrading to 7.x? That can typically be accomplished within just a few hours.

0 Kudos