HP is warning of new critical security vulnerabilities in the Teradici PCoIP client and agent for Windows, Linux, and macOS that impact 15 million endpoints.
The computer and software vendor has found that Teradici is affected by the recently disclosed OpenSSL certificate parsing bug that causes an infinite denial of service loop and multiple integer overflow vulnerabilities in Expat.
Teradici PCoIP (PC over IP) is a proprietary remote desktop protocol licensed to many virtualization product vendors, acquired by HP in 2021, and used on its own products since then.
According to the official website, Teradici PCoIP products are deployed in 15,000,000 endpoints, supporting government agencies, military units, game development firms, broadcast corporations, news organizations, etc.
Critical integer overflow
HP has disclosed ten vulnerabilities in two advisories (1, 2), with three of them carrying critical severity (CVSS v3 score: 9.8), eight categorized as high-severity, and one medium.
One of the most significant flaws fixed this time is CVE-2022-0778, a denial of service flaw in OpenSSL triggered by parsing a maliciously crafted certificate.
The flaw will result in a loop that renders the software non-responsive, but considering the critical mission applications of the product, such an attack would be quite disruptive as users will no longer be able to remotely access devices.
Another critical set of fixed vulnerabilities is CVE-2022-22822, CVE-2022-22823, and CVE-2022-22824, all integer overflow and invalid shift problems in libexpat, potentially leading to uncontrollable resource consumption, elevation of privileges, and remote code execution.
The remaining five high-severity are also integer overflow flaws, tracked as CVE-2021-45960, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827, and CVE-2021-46143.
The products affected by the above vulnerabilities include the PCoIP client, client SDK, Graphics Agent, and Standard Agent for Windows, Linux, and macOS.
To address all of the issues, users are urged to update to version 22.01.3 or later, which uses OpenSSL 1.1.1n and libexpat 2.4.7.
HP released the security updates on April 4 and 5, 2022, so you are secure if you have already updated Teradici since then.
OpenSSL impact
The impact of the OpenSSL DoS vulnerability is widespread due to its widespread deployment, so while this is not a flaw that leads to catastrophic attacks, it’s still a significant problem.
Late last month, QNAP warned that most of its NAS devices are vulnerable to CVE-2022-0778 and urged its users to apply the security updates as soon as possible.
Last week, Palo Alto Networks warned its VPN, XDR, and firewall product customers of the same, offering security updates and mitigations.
Source: https://www.bleepingcomputer.com/news/security/critical-hp-teradici-pcoip-flaws-impact-15-million-endpoints/