By Robert Pinkoske, Staff Engineer, VMware, and Kristina De Nike, Senior Product Manager, VMware
VMware Horizon tells a great security story: Your data never leaves your data center—it is safe and secure. But, of course, that is only true if the access to a virtual desktop is also secure. Here is an update on Horizon Clients and security.
When the Heartbleed alarm went off, VMware did a complete inventory of our exposure. Horizon Clients for Windows, iOS, and Android were using a vulnerable version of OpenSSL 1.0.1. However, the only way to exploit the vulnerability in the clients would be for an end user to connect to a Horizon View Connection Server or View security server that is running malicious code. Although it is possible for a man-in-the-middle server to try to jump into the connection, the Horizon Client checks the server’s SSL certificate. If the client has ever seen a fully verified certificate for a server and then sees a self-signed one, the client blocks the connection.
Our HTML Access client connects using the SSL/TLS functionality built into the browser, so the client did not require an update for Heartbleed. However, the agent that shipped with View 5.3 Feature Pack 1 had a Heartbleed vulnerability.
To address these issues, VMware released a 2.3.3 update for our Windows, iOS, and Android Horizon clients on April 14, 2014. We also posted a fix to the agent side of HTML Access for View 5.3 Feature Pack 2. For more information, see the Knowledge Base article VMware Horizon View and the Heartbleed Bug.
The updated clients (versions 2.4 and 3.0) that we released this week use the latest, safe versions of OpenSSL (1.0.1h, 0.9.8za). In the 3.0 release of the Mac client, we now offer the option of TLS 1.2, which is a more modern security protocol and includes the latest secure ciphers. We added this option to the Windows, iOS, and Android clients in previous releases. For all the clients, the default is to use TLS 1.0 and 1.1. If you want to use TLS 1.2, you can select it in Settings on Mac, iOS, or Android. You can configure the Windows client with a GPO on the client system.
Note: There is a known issue in the Horizon Client with TLS 1.2 and smart cards. We plan to address this issue soon.
If you have problems connecting to a View Connection Server with the new client, and you see an error message such as Host client algorithm mismatch, there may be an intermediate device on the network that does not support any of the ciphers the client is configured to use. In that case, you may wish to fall back to an older cipher suite that we no longer enable out of the box. (Using the latest ciphers keeps us more secure in a default state.) Enter a new cipher control string manually in the Settings area for your client.
If you are using an iOS device, you can find the cipher control string in Settings > VMware View > Advanced SSL Options. Here are some examples of the cipher control string:
- The default cipher control string used by clients (AES-related ciphers only): AES:!aNULL:@STRENGTH
- If your load balancer or other intermediate device does not support AES, but does support RC4 ciphers, use this string instead:
Cipher strings are built according to the OpenSSL naming conventions. For more information, see the Open SSL Cipher list. We strongly recommend that you change these settings only when instructed to do so by your system administrator, because doing so can degrade the security of your client.
After you update the intermediate device to be compatible with newer security protocol requirements—which is preferable to using lower-strength ciphers as the work-around—go back into the Horizon Client Settings and select Reset to Default Settings to switch back to the more secure defaults.
We take security seriously at VMware and will continue to update the Horizon Clients to provide the safest and most functional connections possible.