Named Pipe vulnerability in PCoIP Agents for Windows

Advisory Information

  • Advisory ID: TERA-SA-000055
  • CVE Numbers and Scores:
  • Published: 28 May 2020
  • Last Updated: 28 May 2020
  • Download PDF

Summary

A security vulnerability in the exchange of information through Windows Named Pipes has been discovered in PCoIP Standard Agent for Windows and PCoIP Graphics Agent for Windows, versions 19.11.1 and earlier.

When affected versions of a PCoIP Agent for Windows are running, a named pipe is created by the PCoIP Agent. An attacker could pre-install an application which acquires that named pipe prior to the initialization of the pcoip_credential_provider. This would allow the interception of sensitive information. Additionally, if the user account had windows impersonation enabled, then the attacker could elevate privilege to execute as Windows System.


Affected Products

  • PCoIP Agent (Standard or Graphics) for Windows 19.11.1 and earlier
  • PCoIP Agent (Standard or Graphics) for Windows 2.7.8 and earlier

Solutions and Mitigations

Available Updates

Update the PCoIP Agent for Windows to 19.11.2 (or later) or the 2.7.9 patch.

Workarounds and Mitigation

There are no workarounds that address this vulnerability. To mitigate the vulnerability, update the PCoIP Agent for Windows to 19.11.2 (or later) or the 2.7.9 patch.

Vulnerability Details

CVE-2020-13173

Initialization of the pcoip_credential_provider in Teradici PCoIP Standard Agent for Windows and PCoIP Graphics Agent for Windows versions 19.11.1 and earlier creates an insecure named pipe, which allows an attacker to intercept sensitive information or possibly elevate privileges via pre-installing an application which acquires that named pipe.

Remark

Vulnerability classification has been performed using the CVSSv3 scoring system. The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.


Additional Resources


Revision History

28 May 2020: Initial Publication


Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. TERADICI RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.