HP has warned about critical vulnerabilities in the Teradici PCoIP client for Windows, Linux and macOS, which affect 15 million endpoints. The computer and software vendor discovered that Teradici contains a newly discovered OpenSSL certificate parsing vulnerability that causes an infinite denial of service cycle and multiple integer overflow vulnerabilities in Expat.
Teradici PCoIP is a proprietary remote desktop protocol licensed by many virtualization product vendors, acquired by HP in 2021 and has been used in its own products ever since. According to the official website, Teradici PCoIP products are deployed on 15 million endpoints, supporting government agencies, military units, game studios, broadcasting corporations, news organizations, etc.
HP reported ten vulnerabilities, three of which have a critical level of danger and received a score of 9.8 points on the CVSS scale.
One of the most dangerous problems is a denial of service vulnerability in OpenSSL (CVE-2022-0778) caused by the parsing of a malicious certificate. The exploitation of the problem causes a cycle, due to which the software will stop responding to requests.
Integer overflow vulnerabilities (CVE-2022-22822, CVE-2022-22823, and CVE-2022-22824) in libexpat can potentially lead to uncontrolled resource consumption, privilege escalation, and remote code execution.
Users are strongly advised to upgrade to version 22.01.3 or later, which uses OpenSSL versions 1.1.1n and libexpat 2.4.7.