CVE-2021-25699
📋 TL;DR
This vulnerability allows attackers to escalate privileges by placing a malicious DLL in a specific directory when the Teradici PCoIP Software Client uses an OpenSSL component compiled without proper security flags. It affects users of Teradici PCoIP Software Client versions before 21.07.0.
💻 Affected Systems
- Teradici PCoIP Software Client
📦 What is this software?
Pcoip Client by Teradici
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the running PCoIP process, potentially leading to complete control of the affected system.
Likely Case
Local privilege escalation allowing attackers to execute arbitrary code with elevated permissions on the compromised system.
If Mitigated
Limited impact if proper file permissions prevent unauthorized DLL placement or if the vulnerable component isn't accessible.
🎯 Exploit Status
Requires ability to place malicious DLL in specific build configuration directory and knowledge of the directory structure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.07.0 and later
Vendor Advisory: https://advisory.teradici.com/security-advisories/102/
Restart Required: Yes
Instructions:
1. Download Teradici PCoIP Software Client version 21.07.0 or later from official Teradici website. 2. Uninstall previous version. 3. Install the updated version. 4. Restart the system.
🔧 Temporary Workarounds
Restrict directory permissions
allSet strict file permissions on build configuration directories to prevent unauthorized DLL placement.
chmod 700 /path/to/build/config/directory (Linux)
icacls "C:\path\to\build\config\directory" /deny Everyone:(OI)(CI)F (Windows)
🧯 If You Can't Patch
- Implement strict file system permissions to prevent unauthorized users from writing to build configuration directories.
- Monitor for suspicious DLL files in build configuration directories and implement application whitelisting.
🔍 How to Verify
Check if Vulnerable:
Check Teradici PCoIP Software Client version in application settings or About dialog.Check Version:
On Windows: Check program version in Control Panel > Programs and Features. On Linux: dpkg -l | grep pcoip or rpm -qa | grep pcoipVerify Fix Applied:
Verify installed version is 21.07.0 or later and check that OpenSSL configuration autoloading is disabled.📡 Detection & Monitoring
Log Indicators:
- Unexpected DLL loading from build configuration directories
- Failed privilege escalation attempts
Network Indicators:
- Unusual outbound connections from PCoIP process
SIEM Query:
EventID=4688 AND ProcessName="pcoip*" AND CommandLine CONTAINS "dll" AND ParentProcessName="explorer.exe"