The Benefits of Infrastructure as Code for Adversary Simulation
Check out our Senior Red Consultant’s talk at the recent CRESTCon Australia 2021, on the ‘The benefits of Infrastructure as Code for Adversary Simulation’.
Privasec RED
CVE-2020-3977: VMware Horizon DaaS Broken Authentication (MFA Bypass)
Not long ago, I assisted a client of ours with a penetration test of their VMware Horizon remote access solution and discovered a vulnerability affecting how it handles Multi-Factor Authentication (MFA). As a result, with a compromised user account password, I could gain access to the organisations internal network from the internet, bypassing the MFA requirement. In this blog, I’ll provide a high-level summary and explain how I identified and exploited the vulnerability.