CVE-2022-1805
📋 TL;DR
This vulnerability allows man-in-the-middle attackers to intercept and potentially manipulate connections between PCoIP Zero Clients and Amazon Workspaces. Attackers can exploit incomplete SHA256 certificate verification to impersonate AWS session provisioners. Only organizations using PCoIP Zero Clients to connect to Amazon Workspaces are affected.
💻 Affected Systems
- HP PCoIP Zero Clients
📦 What is this software?
Tera2 Pcoip Zero Client Firmware by Teradici
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Amazon Workspace sessions, allowing attackers to intercept sensitive data, inject malicious content, or hijack user sessions.
Likely Case
Session interception leading to credential theft, data exfiltration, or unauthorized access to corporate resources through compromised Workspace sessions.
If Mitigated
Limited impact with proper network segmentation, certificate pinning, or alternative connection methods that bypass vulnerable components.
🎯 Exploit Status
Requires network positioning between zero client and AWS provisioner. Exploitation is straightforward once MITM position is achieved.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware updates from HP (specific versions in HP advisory)
Vendor Advisory: https://support.hp.com/us-en/document/ish_6545906-6545930-16/hpsbhf03794
Restart Required: Yes
Instructions:
1. Download latest firmware from HP support site. 2. Upload firmware to zero client management interface. 3. Apply update. 4. Reboot zero client. 5. Verify firmware version.
🔧 Temporary Workarounds
Use alternative connection methods
allConnect to Amazon Workspaces using non-PCoIP clients or protocols that don't use the vulnerable zero client implementation.
Network segmentation
allIsolate zero clients from potential MITM positions using VLANs, firewalls, or network access controls.
🧯 If You Can't Patch
- Replace PCoIP Zero Clients with alternative hardware that doesn't have this vulnerability
- Implement strict network monitoring and anomaly detection for Workspace connections
🔍 How to Verify
Check if Vulnerable:
Check zero client firmware version against HP advisory. If using pre-patch firmware and connecting to Amazon Workspaces via PCoIP, system is vulnerable.Check Version:
Check firmware version in zero client web interface or management console (varies by model)Verify Fix Applied:
Verify firmware version matches patched version in HP advisory. Test connection to Amazon Workspace while monitoring for proper certificate validation.📡 Detection & Monitoring
Log Indicators:
- Failed certificate validation events
- Unexpected certificate authorities in TLS handshakes
- Connection anomalies to AWS endpoints
Network Indicators:
- Unusual MITM patterns in network traffic
- Suspicious certificates presented during PCoIP handshake
- Anomalous traffic between zero clients and AWS provisioners
SIEM Query:
source="zero_client_logs" AND (event_type="certificate_validation_failure" OR event_type="tls_handshake_anomaly")