[Security issue] Session not invalidated after SmartCard removal (under specific conditions)

Dear all,

I am writing to you to report a security issue regarding the VMWare Horizon thick client (version 4.3.0 build-4710077) when using SmartCard authentication. The issue manifests itself when one removes the SmartCard from the windows host running the Horizon client in a non-standard way (will be explained later). Such removal of the SmartCard does not invalidate already opened sessions - the virtual desktop is fully functional and can be used for a long period of time (unclear how long, never timed out in our tests) after the removal of the SmartCard.

As for the non-standard SmartCard removal, we succeeded with this approach:

  • Host A is a machine with the SmartCard access, host B is machine running the VMWare Horizon thick client. Server V is the vHorizon VDI broker/proxy,
  • A user establishes a RDP session using xfreerdp (see GitHub - FreeRDP/FreeRDP: FreeRDP is a free remote desktop protocol client ) from host A to host B. The user forwards the SmartCard from host A to host B through xfreerdp,
  • The user then establishes a vHorizon session from host B to server V and accesses a virtual desktop (in our particular case, the Horizon client then forwarded the SmartCard to the virtual desktop, where is was used to log in into windows),
  • The user then closes the RDP session to host B without logging out (so that the vHorizon session from host B to server V remains active),
  • The user then establishes a RDP session using xfreerdp from host A to host B again. However, this time he does not forward the SmartCard from host A to B (the SmartCard can be physically removed from host A in before this step).
  • The resulting state is:
    • the vHorizon session from host B to server V is active, the virtual desktop is fully functional while
    • neither host B nor the OS of the virtual desktop have access to the SmartCard (eg the smart card does not show in Device manager anymore),
    • note: the OS of the virtual desktop starts "complaining" after a while, that the SmartCard is missing, but the session still remains active.

If the SmartCard was connected directly to host B (and not forwarded via RDP), the VMWare Horizon session is abandoned immediately after the card's removal, which is the expected behaviour.

We did not analyse the syscalls that happen (or not happen) in either scenarios. However, it seems the Horizon thick client only uses the SmartCard to establish a TLS session, but it does not actively test for SmartCard's presence while the session is open. It merely registers an OS event "the SmartCard was removed" and only then abandons the established session. However, if such event does not occur (eg in case of using xfreerdp, but there are other ways , eg. customised USB drivers), the Horizon client does not discover by itself that the SmartCard was removed.

We see it necessary to bring your attention to this issue as it poses a serious issue in the VMWare Horizon SmartCard authentication threat modelling. Hope the provided information helps VMWare to fix this issue in the following releases of the vHorizon thick client. In case additional data is needed, we are willing to help.



p.s. insighti is a security consultancy company. The above-mentioned threat was discovered while performing a security audit of a newly deployed VDI for one of our clients.

0 Kudos
0 Replies