HP has issued a warning about critical vulnerabilities patched in the Teradici PCoIP (PC over IP) client and agent for Windows, Linux and macOS that could endanger a total of 15,000,000 endpoints.
Teradici PCoIP is a proprietary remote desktop protocol licensed by many virtualization vendors. HP acquired it in 2021 and is now using it in its own products.
According to official statistics, Teradici PCoIP products have been deployed to more than 15,000,000 endpoints, including government agencies, military units, game development firms, broadcast corporations, news organizations, and so on.
The manufacturer reports that Teradici is primarily affected by a recently discovered issue in OpenSSL, CVE-2022-0778, related to certificate parsing. The bug can lead to a denial of service, as well as provoke multiple integer overflow problems in Expat.
HP also warns about ten more vulnerabilities, three of which are critical (9.8 points on the CVSS scale), 8 are classified as high severity, and one is rated as medium.
One of the most significant issues is the already mentioned CVE-2022-0778 related to a denial of service in OpenSSL. Other critical bugs, CVE-2022-22822, CVE-2022-22823, and CVE-2022-22824, also fall into the category of integer overflow and invalid shift in libexpat, potentially leading to uncontrolled resource consumption, privilege escalation, and remote arbitrary code execution.
Five other high-severity vulnerabilities also involve integer overflow, and are tracked as CVE-2021-45960, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827, and CVE-2021-46143.
All of these issues pose a risk to the PCoIP client, client SDK, Graphics Agent, and Standard Agent for Windows, Linux, and macOS. To fix them, users are strongly advised to upgrade to version 22.01.3 or later, which already uses the patched OpenSSL 1.1.1n and libexpat 2.4.7.
Let me remind you that we also talked about RCE vulnerabilities threaten many HP printer models, and also that HP Fixed Critical Potential Worm Vulnerability in 150 Printer Models.
