I am writing to you to report a security issue regarding the VMWare Horizon thick client (version 4.3.0 build-4710077) when using SmartCard authentication. The issue manifests itself when one removes the SmartCard from the windows host running the Horizon client in a non-standard way (will be explained later). Such removal of the SmartCard does not invalidate already opened sessions - the virtual desktop is fully functional and can be used for a long period of time (unclear how long, never timed out in our tests) after the removal of the SmartCard.
As for the non-standard SmartCard removal, we succeeded with this approach:
If the SmartCard was connected directly to host B (and not forwarded via RDP), the VMWare Horizon session is abandoned immediately after the card's removal, which is the expected behaviour.
We did not analyse the syscalls that happen (or not happen) in either scenarios. However, it seems the Horizon thick client only uses the SmartCard to establish a TLS session, but it does not actively test for SmartCard's presence while the session is open. It merely registers an OS event "the SmartCard was removed" and only then abandons the established session. However, if such event does not occur (eg in case of using xfreerdp, but there are other ways , eg. customised USB drivers), the Horizon client does not discover by itself that the SmartCard was removed.
We see it necessary to bring your attention to this issue as it poses a serious issue in the VMWare Horizon SmartCard authentication threat modelling. Hope the provided information helps VMWare to fix this issue in the following releases of the vHorizon thick client. In case additional data is needed, we are willing to help.
p.s. insighti is a security consultancy company. The above-mentioned threat was discovered while performing a security audit of a newly deployed VDI for one of our clients.