When a user authenticates with Teradici PCoIP Connection Manager and Security Gateway versions 20.07 prior to 20.07.1 or 21.01 prior to 21.01.3 using a smart card, their smart card's certificate and PIN will be logged in the application INFO logs.
Customers who are unable to update to a patched version are encouraged to configure the log level on their Teradici PCoIP Connection Manager and Security Gateways to WARN.
/etc/ConnectionManager.confin your favourite text editor.
LogLevel = WARN
Customers who used smartcard authentication with a vulnerable Teradici PCoIP Connection Manager and Security Gateway are advised to review any logs that are stored on the system, logging systems, backups, etc. to ensure that no sensitive data is being stored in a way that does not comply with their organization's policies.
Sensitive smart card data is logged in default INFO logs by Teradici's PCoIP Connection Manager and Security Gateway prior to version 21.01.3.
Vulnerability classification has been performed using the CVSSv3 scoring system. The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. TERADICI RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.