March 25, 2011

Unidesk ReportingService Forceful Browsing Vulnerability

1. Summary:

Unidesk management appliance is prone to a forceful browsing vulnerability that allows an attacker access to administrator resources.

2. Description:

The "ReportingService" of the web services does not check for session credentials to access reports about the Virtual Desktop Infrastructure environment.

These reports provides information such as:
  • Applications installed
  • CachePoint appliance information
  • Desktop names
  • Domain usernames
  • Operating systems installed

An attacker may gain access to the reports by directly pointing to the following URL:


3. Impact:

This issue can be exploited to access sensitive information that may lead to further attacks.

4. Affected Products:

Unidesk Management Console version 1.3 and prior.

5. Solution:  Apply the latest supplied vendor patches.

6. Time Table:

3/17/2011 Reported Vulnerability to the Vendor
3/25/2011 Vendor Acknowledge Vulnerability, fix will be addressed in the 1.4 release

7. Credits:

Discovered by Nathan Power