CVE-2020-13177
📋 TL;DR
This vulnerability in Teradici PCoIP agents allows attackers to execute malicious binaries with elevated privileges by placing them in the system path. It affects Windows systems running vulnerable versions of PCoIP Standard Agent and Graphics Agent. Attackers can exploit this to gain SYSTEM-level access on compromised machines.
💻 Affected Systems
- Teradici PCoIP Standard Agent for Windows
- Teradici PCoIP Graphics Agent for Windows
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, and lateral movement across the network.
Likely Case
Local privilege escalation from a lower-privileged user account to SYSTEM, allowing complete control of the affected Windows system.
If Mitigated
Limited impact if proper endpoint protection and least privilege principles are enforced, though privilege escalation remains possible.
🎯 Exploit Status
Exploitation requires ability to place malicious binaries in system path, which typically requires some level of access or social engineering.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 20.04.1 and 20.07.0
Vendor Advisory: https://advisory.teradici.com/security-advisories/60/
Restart Required: Yes
Instructions:
1. Download latest version from Teradici portal. 2. Uninstall current agent. 3. Install updated version (20.04.1 or 20.07.0). 4. Restart system.
🔧 Temporary Workarounds
Restrict system path write permissions
windowsLimit write access to system path directories to prevent malicious binary placement
icacls C:\Windows\System32 /deny Users:(OI)(CI)W
icacls C:\Windows /deny Users:(OI)(CI)W
Remove vulnerable agents
windowsUninstall PCoIP agents if not required for operations
appwiz.cpl
Select Teradici PCoIP Agent and click Uninstall
🧯 If You Can't Patch
- Implement strict file integrity monitoring on system path directories
- Enforce least privilege principles and restrict user write access to system directories
🔍 How to Verify
Check if Vulnerable:
Check agent version in Control Panel > Programs and Features. If version is below 20.04.1 or 20.07.0, system is vulnerable.Check Version:
wmic product where name like "Teradici PCoIP%" get versionVerify Fix Applied:
Verify installed version is 20.04.1 or higher for Standard Agent, or 20.07.0 or higher for Graphics Agent.📡 Detection & Monitoring
Log Indicators:
- Unusual process execution from system path directories
- Multiple failed privilege escalation attempts
- Suspicious binary creation in Windows\System32
Network Indicators:
- Unusual PCoIP connection patterns
- Unexpected outbound connections from agent processes
SIEM Query:
EventID=4688 AND (NewProcessName contains "system32" OR NewProcessName contains "windows") AND SubjectUserName NOT IN ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")