CVE-2019-20362 in PCoIP Agent
Summary
by MITRE
In Teradici PCoIP Agent before 19.08.1 and PCoIP Client before 19.08.3, an unquoted service path can cause execution of %PROGRAMFILES(X86)%\Teradici\PCoIP.exe instead of the intended pcoip_vchan_printing_svc.exe file.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/20/2024
The vulnerability identified as CVE-2019-20362 represents a critical service path misconfiguration issue within Teradici PCoIP Agent and Client software versions prior to 19.08.1 and 19.08.3 respectively. This flaw manifests as an unquoted service path vulnerability that fundamentally compromises the integrity of the software installation process. The vulnerability specifically affects the Windows service installation where the service path is not properly quoted, creating a security exploit that allows for arbitrary code execution.
The technical implementation of this vulnerability stems from the improper handling of service installation paths in the Windows service management system. When a service path contains spaces and is not enclosed in quotation marks, the Windows service control manager performs a path traversal search through the directory structure. In this case, the malicious execution occurs when the system attempts to locate the intended service executable but instead executes a file located in the parent directory. Specifically, the system executes %PROGRAMFILES(X86)%\Teradici\PCoIP.exe rather than the intended pcoip_vchan_printing_svc.exe file, which creates a significant attack surface for privilege escalation and code injection.
This vulnerability directly maps to CWE-428, which defines an unquoted service path as a weakness where a service path is not properly quoted, allowing Windows to search for executables in parent directories. The operational impact of this vulnerability extends beyond simple privilege escalation to encompass potential full system compromise. Attackers can leverage this weakness to execute malicious code with the privileges of the service account, typically SYSTEM level privileges, thereby enabling them to install backdoors, modify system files, or establish persistent access to the compromised system. The vulnerability is particularly concerning because it affects both agent and client components, creating a potential attack vector across different system roles within the PCoIP ecosystem.
The security implications of CVE-2019-20362 align with ATT&CK technique T1059.001, which describes the execution of code through Windows Command Shell or PowerShell, and T1543.003, which covers the modification of services through Windows Service Control Manager. The vulnerability can be exploited through various attack vectors including social engineering to convince users to install malicious software in the parent directory, or through direct exploitation if an attacker has access to the system. The attack requires minimal privileges to exploit and can result in complete system compromise, making it a high-severity vulnerability that aligns with the MITRE ATT&CK framework's categorization of service manipulation techniques.
Mitigation strategies for CVE-2019-20362 should prioritize immediate patching of affected software versions to 19.08.1 or later for the PCoIP Agent and 19.08.3 or later for the PCoIP Client. System administrators should conduct comprehensive audits of service installations to identify and correct any unquoted service paths within their environments. Additionally, implementing strict access controls and privilege separation can limit the potential impact if exploitation occurs. The Windows Security Configuration Wizard and group policy settings can be configured to enforce proper service path quoting, preventing similar vulnerabilities from being introduced through future installations. Organizations should also consider implementing application whitelisting policies to restrict execution of unauthorized binaries in the affected directory paths.