Teradici and CVE-2020-10965: An issue of routing.

Vendor and impacted product

Teradici - PCoIP Management Console version 20.01.0 and 19.11.1

Introduction

After nearly five years of working with Application Security I was finally able to discover a security bug worthy of a CVE. This vulnerability was in a software package owned by a major vendor, Teradici, which provides management software for several different kinds of remote workstation setups. The impact of this bug is critical, with almost no attacker interaction needed. Once reported to Mitre, this vulnerability was issued CVE-2020-10965. Within this blog post, I'll be giving an overview of the discovery process.

Tools Used:

Burp Suite

Aquatone

Google Chrome

Overview

While participating in an undisclosed bug bounty program, I discovered a subdomain with the name "mc.****.************.com". Using Aquatone, I found that ports 80 and 443 were open and displaying the following login page.

Seeing that the application was built using some kind of Javascript framework, I used the Chrome developer utilities to examine the routing files, to see if there were any interesting endpoints.

To my surprise, there was a route to an endpoint called "/login/resetadminpassword" that was not programmed to redirect back to the login page.

Visiting this link, I was even more surprised to be presented with a form to reset the Admin user's password. Using this form, any unauthenticated user was able to change the admin user's password.

Impact

From the Teradici disclosure, the impact was described as the following:

"The affected Management Console releases allow unauthenticated user access to the Management Console /login/resetadminpassword URL. From here, unauthenticated users can reset the admin password on the Management Console, and can take control of PCoIP Zero Clients and PCoIP Remote Workstation Cards managed by it."

Disclosure Timeline

29 Feb 2020:

Reported vulnerability to bug bounty program, believing it to be specific to their installation.

29 Feb 2020:

Reported vulnerability to Teradici, upon learning that the vulnerability affected the entire version.

03 Mar 2020:

First response from Teradici, triaging the vulnerability.

04 Mar 2020:

Teradici awards a bounty of $1000.

05 Mar 2020:

Teradici releases patched version of product.

07 Mar 2020:

Initial bug bounty program fixes their installation of the application, awarded $350.

13 Mar 2020:

Teradici releases public notice of vulnerability on their website here.

References

Teradici Vulnerability Disclosure

MITRE CVE Notice

National Vulnerability Database CVE Notice