March 25, 2011

Unidesk ReportingService Forceful Browsing Vulnerability



1. Summary:

Unidesk management appliance is prone to a forceful browsing vulnerability that allows an attacker access to administrator resources.




2. Description:

The "ReportingService" of the web services does not check for session credentials to access reports about the Virtual Desktop Infrastructure environment.

These reports provides information such as:
  • Applications installed
  • CachePoint appliance information
  • Desktop names
  • Domain usernames
  • Operating systems installed

An attacker may gain access to the reports by directly pointing to the following URL:

/Uni.Web/Reporting/Default.aspx


3. Impact:

This issue can be exploited to access sensitive information that may lead to further attacks.


4. Affected Products:

Unidesk Management Console version 1.3 and prior.


5. Solution:  Apply the latest supplied vendor patches.


6. Time Table:

3/17/2011 Reported Vulnerability to the Vendor
3/25/2011 Vendor Acknowledge Vulnerability, fix will be addressed in the 1.4 release


7. Credits:

Discovered by Nathan Power
www.securitypentest.com