Greetings from the VMware Security Response Center !

Today VMware has released the following new security advisory:

VMSA-2017-0002 – Horizon DaaS update addresses an insecure data validation issue”

The advisory documents a moderate severity insecure data validation issue (CVE-2017-4897) in VMware Horizon DaaS. All 6.1.x versions are affected.

This vulnerability can be exploited by tricking DaaS client users into connecting to a malicious server and sharing all their drives and devices. Horizon DaaS 7.0.0 carries a fix for this issue.

VMware would like to thank Ahmad Ashraff of Aura Information Security for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.