Sensitive smart card data is logged by Teradici's PCoIP Connection Manager and Security Gateway

Advisory Information

  • Advisory ID: TERA-SA-000077
  • CVE Numbers and Scores:
  • Published: 16 April 2021
  • Last Updated: 16 April 2021
  • Download PDF

Summary

When a user authenticates with Teradici PCoIP Connection Manager and Security Gateway versions 20.07 prior to 20.07.1 or 21.01 prior to 21.01.3 using a smart card, their smart card's certificate and PIN will be logged in the application INFO logs.


Affected Products

  • Teradici PCoiP Connection Manager and Security Gateway 21.01 prior to 21.01.3
  • Teradici PCoIP Connection Manager and Security Gateway 20.07 prior to 20.07.1

Solutions and Mitigations

Available Updates

Workarounds and Mitigations

Customers who are unable to update to a patched version are encouraged to configure the log level on their Teradici PCoIP Connection Manager and Security Gateways to WARN.

  1. Edit /etc/ConnectionManager.conf in your favourite text editor.
  2. Change LogLevel to LogLevel = WARN
  3. Restart the Teradici PCoIP Connection Manager and Security Gateway services for the changes to take effect.

Customers who used smartcard authentication with a vulnerable Teradici PCoIP Connection Manager and Security Gateway are advised to review any logs that are stored on the system, logging systems, backups, etc. to ensure that no sensitive data is being stored in a way that does not comply with their organization's policies.

Vulnerability Details

CVE-2021-25692

Sensitive smart card data is logged in default INFO logs by Teradici's PCoIP Connection Manager and Security Gateway prior to version 21.01.3.

Remark

Vulnerability classification has been performed using the CVSSv3 scoring system. The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.


Additional Resources


Revision History

16 April 2021: Initial Publication


Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. TERADICI RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.