CVE-2021-25695
📋 TL;DR
This vulnerability in Teradici PCOIP Software Agent's USB vHub allows any program to send commands to the driver, potentially enabling privilege escalation by altering program execution flow. It affects systems running Teradici PCOIP Software Agent before version 21.07.0. Attackers could exploit this to gain elevated privileges on compromised systems.
💻 Affected Systems
- Teradici PCOIP Software Agent
📦 What is this software?
Pcoip by Teradici
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with administrative privileges, allowing installation of persistent malware, data theft, and lateral movement across the network.
Likely Case
Local privilege escalation from a standard user to SYSTEM/root level access, enabling further malicious activities on the compromised host.
If Mitigated
Limited impact with proper network segmentation and endpoint protection that detects unusual driver behavior.
🎯 Exploit Status
Exploitation requires local access to execute code, but the vulnerability itself is straightforward to exploit once code execution is achieved.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.07.0
Vendor Advisory: https://advisory.teradici.com/security-advisories/100/
Restart Required: Yes
Instructions:
1. Download Teradici PCOIP Software Agent version 21.07.0 or later from the Teradici website. 2. Install the update following Teradici's installation guide. 3. Restart the system to ensure the updated driver loads properly.
🔧 Temporary Workarounds
Disable USB Redirection
allDisable USB device redirection in PCOIP settings to reduce attack surface
Restrict Local Access
allImplement strict access controls to prevent unauthorized local code execution
🧯 If You Can't Patch
- Implement application whitelisting to prevent unauthorized programs from running
- Deploy endpoint detection and response (EDR) solutions to monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check the Teradici PCOIP Software Agent version. If it's below 21.07.0, the system is vulnerable.Check Version:
On Windows: Check Programs and Features or run 'wmic product where name="Teradici PCOIP Software Agent" get version'. On Linux: Check package manager or run 'pcoip-agent --version' if available.Verify Fix Applied:
Verify the installed version is 21.07.0 or higher and check that USB functionality still works properly.📡 Detection & Monitoring
Log Indicators:
- Unusual process interactions with Teradici USB driver
- Failed privilege escalation attempts
- Suspicious driver loading events
Network Indicators:
- Unusual outbound connections from Teradici processes
- Lateral movement attempts following local compromise
SIEM Query:
EventID=4688 OR Process Creation where Parent Process contains 'teradici' AND Command Line contains unusual parameters