Unauthenticated User can take control of PCoIP Management Console by resetting the default password

Advisory Information

  • Advisory ID: TERA-SA-000051
  • CVE Numbers and Scores:
  • Published: 27 March 2020
  • Last Updated: 27 March 2020
  • Download PDF

Summary

Teradici PCoIP Management Console versions 20.01.0 and 19.11.1 are vulnerable to unauthenticated password resets of the default admin account. This vulnerability only exists when the default admin account is not disabled.

The affected Management Console releases allow unauthenticated user access to the Management Console /login/resetadminpassword URL. From here, unauthenticated users can reset the admin password on the Management Console, and can take control of PCoIP Zero Clients and PCoIP Remote Workstation Cards managed by it.


Affected Products

  • PCoIP Management Console version 20.01.0
  • PCoIP Management Console version 19.11.1

Solutions and Mitigations

Available Updates

Teradici released PCoIP Management Console 20.01.1 and 19.11.2 on March 5th to address this vulnerability and notified all customers of the Management Console.

Workarounds and Mitigation

Customers using Management Console 20.01.0 were advised to do a mandatory upgrade to 20.01.1 or disable the default admin user as explained in "Changing the PCoIP Management Console Web Interface Default Password" section of the Management Console Administrators Guide.

Similarly, customers using Management Console 19.11.1 were advised to do a mandatory upgrade to 19.11.2 or disable the default admin user as explained in "Changing the PCoIP Management Console Web Interface Default Password" section of the Management Console Administrators Guide.

For more information, please refer to Management Console 20.01.1 Release Notes or 19.11.2 Release Notes.

Vulnerability Details

Acknowledgements

We would like to thank Benjamin Heald for finding and reporting this vulnerability.

CVE-2020-10965

Teradici PCoIP Management Console 20.01.0 and 19.11.1 is vulnerable to unauthenticated password resets via login/resetadminpassword of the default admin account. This vulnerability only exists when the default admin account is not disabled. It is fixed in 20.01.1 and 19.11.2.

Remark

Vulnerability classification has been performed using the CVSSv3 scoring system. The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.


Additional Resources


Revision History

27 March 2020: Initial Publication


Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. TERADICI RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.