Security flaw within 8.5_017?

Hi,

We have seemingly discovered a flaw with the security of the version above. I'm able to freely access any users desktop after lock by simply changing the resolution and allowing the Wyse device to disconnect the desktop, reconnect then enter the users password automatically. We would like to determine if this is a wnos.ini config issue, and genuine flaw or a mix due to our environment.

- XD 7.15 infrastructure
- 7.6.3 VDA
- Dual monitor setup throughout

Step to re-create:

Lock Virtual Desktop
Go to WNOS GUI and enter System Setup > Display
Change both screens to the same lower or higher resolution > Test > Confirm with OK
The Wyse device will then disconnect and reconnect the desktop, automatically entering the users password
The desktop can now be accessed

wnos.ini

autoload=1 VerifySignature=no
SecurityPolicy=low

AdminMode=yes Admin-Username=xxxx Admin-Password=xxxx
Privilege=None ShowDisplaySettings=Yes

AutoSignoff=yes Shutdown=yes
Shutdowncounter=0
ShutDown=turnoff
AddCertificate=xxx.pfx Password=xxx
SysMode=VDI

Language=Uk
Device=audio Volume=25 mic_vol=5

#Webcams
Device=vusb ForceRedirect=0x046d,0x0843,0xef,0x02,0x01 InterfaceRedirect=yes
Device=vusb ForceRedirect=0x046d,0x0825,0xef,0x02,0x01 InterfaceRedirect=yes

#Smartcards
SessionConfig=ALL Smartcards=yes

DeskColor="0 98 196"
Desktop=tc_splash.jpg Layout=Stretch
Dualhead=yes ManualOverride=yes MonitorAutoDetect=yes
Screensaver=0 LockTerminal=no Type=0

Timeserver=xxx.xxx.xxx.xxx Timeformat="24-hour format" Dateformat=dd/mm/yyyy
; If you are using an older version of WTOS code please use:
; TimeZone= 'GMT' ManualOverride=yes Daylight=yes Start=030507 End=100507 TimeZoneName=GMT DayLightName=GMT

TimeZone='Greenwich Mean Time' ManualOverride=yes Daylight=yes Start=030507 End=100507 TimeZoneName="GMT Standard Time" DayLightName="GMT Daylight Time"

Device=Ethernet Speed="Auto"
; If you are using a version of WTOS code < 7.1_133 please use:
; RapportDisable= instead of WDMService=
WDMService=Yes DNSLookup=yes
SignOn=Yes
DisableDomain=yes
DomainList="xxx"

IEEE8021X=yes network=wired

SessionConfig=ALL DisableSound=No Fullscreen=yes
UniSession=yes

PnliteServer=http://xxx/Citrix/xxx/PNAgent/config.xml Storefront=yes ReconnectAtLogon=2 ReconnectFromButton=0
SessionConfig=ICA DesktopMode=Fullscreen SessionReliability=yes WarnPopup=yes OnDesktop=desktops AudioQuality=High USBRedirection=HDX

;*************************************************************
;* TARGETS *
;*************************************************************
;Place individual settings files in the ..\inc directory

Include=$MAC.ini

Responses(1)

DELL-Scott H

Moderator

•

892 Posts

0

October 3rd, 2018 05:00

Some thoughts on this.

I would definitely recommend you get a support ticket open to get official response
I think the key to this is the following
1. PnliteServer=http://xxx/Citrix/xxx/PNAgent/config.xml Storefront=yes ReconnectAtLogon=2 ReconnectFromButton=0
2. With ReconnectatLogon=2, the device will autoconnect to any active and disconnected sessions when the device logs on.
3. Since it appears you are not logging off of the users session prior to changing the display settings, when the settings are set a re-auth is sent to Storefront which reconnects applications.
Try this
1. Logoff the session in ThinOS prior to changing display settings
  1. Does it auto connect to the users desktop?
2. Change the INI to ReconnectatLogon=0
  1. reboot endpoint
  2. Login, repeat your test while staying logged in and see if it autoconnects
  3. My gut tells me it still will, because technically you are still logged into the thin client, and when you change display settings the receiver client sends the updated endpoint display settings to storefront, (but I could also see that it does not autoconnect)

Thanks

View All

No Events found!

Wyse Software General

Security flaw within 8.5_017?

Was this post helpful?