15 million HP Teradici PCoIP endpoints are affected by critical HP Teradici PCoIP flaws.

Teradici is afflicted by the recently exposed OpenSSL certificate parsing problem, which causes an indefinite denial of service loop and various integer overflow vulnerabilities in Expat, according to the computer and software provider.

Teradici PCoIP (PC over IP) is a proprietary remote desktop protocol licensed to a number of virtualization product providers. It was bought by HP in 2021 and has since been utilized in HP's own products.

According to the official website, Teradici PCoIP products are deployed in 15,000,000 endpoints, supporting government agencies, military units, game development firms, broadcast corporations, news organizations, etc.

Critical integer overflow

HP has disclosed ten vulnerabilities in two advisories (1, 2), with three of them carrying critical severity (CVSS v3 score: 9.8), eight categorized as high-severity, and one medium. One of the most significant flaws fixed this time is CVE-2022-0778, a denial of service flaw in OpenSSL triggered by parsing a maliciously crafted certificate. The flaw will result in a loop that renders the software non-responsive, but considering the critical mission applications of the product, such an attack would be quite disruptive as users will no longer be able to remotely access devices.

Another critical set of fixed vulnerabilities is CVE-2022-22822, CVE-2022-22823, and CVE-2022-22824, all integer overflow and invalid shift problems in libexpat, potentially leading to uncontrollable resource consumption, elevation of privileges, and remote code execution.

The remaining five high-severity are also integer overflow flaws, tracked as CVE-2021-45960, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827, and CVE-2021-46143.

The products affected by the above vulnerabilities include the PCoIP client, client SDK, Graphics Agent, and Standard Agent for Windows, Linux, and macOS.

To address all of the issues, users are urged to update to version 22.01.3 or later, which uses OpenSSL 1.1.1n and libexpat 2.4.7. 

HP released the security updates on April 4 and 5, 2022, so you are secure if you have already updated Teradici since then.

OpenSSL impact

The impact of the OpenSSL DoS vulnerability is widespread due to its widespread deployment, so while this is not a flaw that leads to catastrophic attacks, it’s still a significant problem.

Late last month, QNAP warned that most of its NAS devices are vulnerable to CVE-2022-0778 and urged its users to apply the security updates as soon as possible.

Source: BleepingComputer