CVE-2020-13173
📋 TL;DR
This vulnerability allows attackers to intercept sensitive information or potentially elevate privileges by exploiting an insecure named pipe created during initialization of Teradici PCoIP credential provider. It affects Teradici PCoIP Standard Agent for Windows and PCoIP Graphics Agent for Windows. Attackers can pre-install applications to acquire the named pipe before legitimate processes.
💻 Affected Systems
- Teradici PCoIP Standard Agent for Windows
- Teradici PCoIP Graphics Agent for Windows
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through privilege escalation, credential theft, and complete interception of PCoIP session data including authentication credentials.
Likely Case
Interception of sensitive session data, credential harvesting, and potential lateral movement within the network.
If Mitigated
Limited impact with proper network segmentation, least privilege principles, and monitoring for unauthorized named pipe creation.
🎯 Exploit Status
Exploitation requires ability to pre-install malicious application before legitimate process starts. Local access or deployment capability needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 19.11.2 and later
Vendor Advisory: https://advisory.teradici.com/security-advisories/55/
Restart Required: Yes
Instructions:
1. Download latest version from Teradici website. 2. Uninstall current version. 3. Install updated version. 4. Restart system.
🔧 Temporary Workarounds
Disable PCoIP Credential Provider
windowsTemporarily disable the vulnerable component if not required
sc stop "PCoIP Credential Provider"
sc config "PCoIP Credential Provider" start= disabled
Restrict Named Pipe Permissions
windowsSet stricter ACLs on the named pipe to prevent unauthorized access
icacls "\\.\pipe\pcoip_credential_provider" /inheritance:r /grant:r "SYSTEM:(F)" /grant:r "Administrators:(F)"
🧯 If You Can't Patch
- Implement strict application whitelisting to prevent unauthorized applications from being installed
- Monitor for unauthorized named pipe creation using Windows Event Logs and security tools
🔍 How to Verify
Check if Vulnerable:
Check installed version via Control Panel > Programs and Features or using command: wmic product where "name like '%PCoIP%'" get versionCheck Version:
wmic product where "name like '%PCoIP%'" get versionVerify Fix Applied:
Verify version is 19.11.2 or later and check that named pipe has proper security descriptors📡 Detection & Monitoring
Log Indicators:
- Event ID 4656 (Windows Security Log) showing unauthorized access to named pipes
- Unexpected process creation related to PCoIP credential provider
Network Indicators:
- Unusual named pipe communication patterns
- Multiple connection attempts to PCoIP named pipes
SIEM Query:
source="windows_security" event_id=4656 object_name="*pcoip_credential_provider*"