Teradici PCoIP for Windows, Linux, and macOS clients and agents has been found to have a new set of critical security flaws that affect 15 million endpoints.
According to the computer and software vendor, the recently discovered OpenSSL certificate parsing bug in Teradici leads to an infinite denial of service loop and multiple integer overflow vulnerabilities in Expat.
After being licensed to many virtualization product vendors, HP purchased Teradici PCoIP (PC over IP) in 2021 and began using it on its own products afterward.
There are 15,000,000 endpoints using Teradici PCoIP products, according to the Teradici website, which includes government and military agencies, game developers and broadcasters, as well as news and broadcast companies.
Critical integer overflow
In two advisories, HP has revealed ten vulnerabilities, three of which are critical (CVSS v3 score: 9.8), eight of which are high-severity, and one medium-severity.
CVE-2022-0778, a denial-of-service flaw in OpenSSL caused by parsing a maliciously crafted certificate, is one of the most significant issues fixed this time.
Due to the product's critical mission applications, an attack on this flaw would be extremely disruptive because users would no longer be able to remotely access their devices.
CVE-2022-22822, CVE-2022-22823, and CVE-2022-22824, all integer overflow and invalid shift problems in libexpat, could lead to uncontrollable resource consumption, the elevation of privileges, and remote code execution if exploited, so these vulnerabilities have been addressed.
A total of five other critical vulnerabilities have been identified, all of which are integer overflow flaws: CVE-2021-45960, CVE-2022-22825, CVE-2022-22826, and so on. These are all integer overflow flaws of high severity.
The PCoIP client, client SDK, Graphics Agent, and Standard Agent for Windows, Linux, and macOS are all affected by the above vulnerabilities.
Update to version 22.01.3 or later, which includes OpenSSL 1.1.1n and libexpat 2.4.7, to fix all of the problems.
You are safe if you have already updated Teradici since HP released the security updates on April 4 and 5, 2022.
OpenSSL impact
Because of the widespread use of OpenSSL, its denial-of-service vulnerability has a significant impact, even if it doesn't lead to catastrophic attacks.
QNAP issued a warning last month that most of its NAS devices were vulnerable to CVE-2022-0778 and urged its customers to apply the security updates as soon as possible.
Earlier this week, Palo Alto Networks issued a warning to its VPN, XDR, and firewall customers about the same, offering security updates and mitigations.
Post a Comment
Your suggestions and comments are welcome