Original Release: August 4, 2022
Overview
Recently, a security vulnerability was discovered in the PrinterLogic Windows Client driver installation process. Vasion has completed remediation for CVE-2022-32427 via an updated Windows Client package.
Vulnerability Description
The PrinterLogic Windows Client on or before Version 25.0.0.676 allows attackers to execute directory traversal. Authenticated users with prior knowledge of the driver filename could exploit this to escalate privileges or distribute malicious content.
Investigation and Remediation
The vulnerability is remediated by updating the PrinterLogic Windows Client to Version 25.0.0.688 or later. Release notes for the new client are found here. Depending on your PrinterLogic platform, the following instructions apply:
- For PrinterLogic SaaS, information about updating clients is found here.
- For the PrinterLogic Virtual Appliance, a VA Application Update containing the new Windows client is available. For more information about application updates is available here. Once the update is complete, deploy the new client using the steps found here.
- For PrinterLogic Web Stack, the latest client download is here.
- If you prefer to push the new Windows client via third-party software, you’ll find the client installation package (MSI) here.
Original Release: April 5, 2022
Overview
A security vulnerability that affects VMware products was reported in CVE-2022-22965. The issue does not impact Vasion software.
Description
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment.
Impact
While some customers run their PrinterLogic Virtual Appliance on VMware hypervisors, the VA itself is not at risk. Information about remediations for VMware software is available here.
Original Release: Mar 24, 2022
Overview
Recently, an out-of-bounds vulnerability assigned to CVE-2021-44142 was disclosed in Samba versions prior to 4.13.17. This flaw involves an out-of-bounds heap read-write event in which remote attackers could execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit. The PrinterLogic Virtual Appliance (VA) is susceptible to this vulnerability and was remediated. This issue does not affect PrinterLogic SaaS.
Vulnerability Description
Samba is an implementation of SMB protocol that provides file and printer interoperability for Windows platforms over the network. It is a widely installed software package, and many Linux-based IoT and network devices include publicly open SMB services by default.
The specific flaw exists in EA metadata parsing when opening files in smbd, the Samba server daemon that provides file sharing and printing services to Windows clients. Access as a user with write access to a file’s extended attributes is required to exploit this vulnerability. A guest or unauthenticated user could do this if they are allowed write access to file extended attributes.
The problem in vfs_fruit exists in the default configuration of the fruit VFS module using fruit:metadata=netatalk or fruit:resource=file. If both options are set to settings other than the default values, the system is not affected by the security issue. The PrinterLogic VA Host has vfs_fruit enabled and required remediation.
Vasion Investigation and Remediation
Vasion has removed the VA_Fruit module from the PrinterLogic Virtual Appliance. Therefore, we recommend that PrinterLogic VA customers with host versions 1.0.735 and earlier update their VA Host, which includes the latest application release. This update includes other new functionality as well described in the release notes. The update and release notes can be found in our PrinterLogic VA Admin Guide here.
Original Release: Feb 7, 2022
Overview
In late January, Vasion became aware of a vulnerability that affects many Linux distributions. The company has completed remediations in its PrinterLogic SaaS and PrinterLogic Virtual Appliance (VA) platforms.
Vulnerability Description
Polkit (formerly known as PolicyKit) is a systemd SUID-root program and is installed by default in every major Linux distribution. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies.
In the version of Polkit that resulted in this vulnerability discovery, the pkexec application doesn’t handle the calling parameters count correctly and ends by trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in a way that induces pkexec to execute arbitrary code. This can result in a local privilege escalation and give unprivileged users administrative rights on the target machine.
A new version of Polkit was released that addresses this vulnerability. More information can be found in the CVE-2021-4034 detail document found here.
Vasion Investigation and Remediation
Vasion completed its investigation to determine how this vulnerability affects PrinterLogic SaaS and the PrinterLogic Virtual Appliance (VA). It was found that servers for both platforms contained the affected version of Polkit.
Both PrinterLogic products have been patched with the latest version of Polkit recommended by Linux (0.105-20 Ubuntu 0.18.04.05 changed to 0.105-20 Ubuntu 0.18.04.06).
Because PrinterLogic SaaS updates occur automatically, this remediation is already live.
PrinterLogic VA customers with host versions 1.0.730 and earlier will need to update their VA host, which includes the latest application release as well. The VA update and release notes can be found in our Admin Guide here.
Original Release: Jan 21, 2022
Overview
Recently, security vulnerabilities were discovered in PrinterLogic Web Stack versions 19.1.1.13 SP9 and below. PrinterLogic has completed corrective measures to remediate each vulnerability, and updates are available now for PrinterLogic Web Stack and the Virtual Appliance. Updates occurred automatically with PrinterLogic SaaS and are live worldwide. A summary of the vulnerabilities and corrective actions PrinterLogic has taken are below. Links to the respective CVEs will be added once they are available.
Vulnerabilities (CVEs) and Remediation Summary
- CVE-2021-42631: Object Injection leading to RCE CVSS 8.1
– The affected endpoints were reorganized so they no longer use objects passed as parameters (removing the vulnerability). The vulnerable function “unserialize()” is no longer used.
– Affected Web Stack, the VA, and SaaS. Remediations completed.
- CVE-2021-42635: Hardcoded APP_KEY leading to RCE CVSS 8.1
– The Web Stack installers were adjusted to generate random keys on installation and on updates.
– In addition, we performed scans for other keys and credentials that may have been leaked, and any findings were also corrected. Measures were furthermore put in place to prevent any leaked secrets from accidentally being included in future releases.
– Affected Web Stack only. Remediations completed.
- CVE-2021-42638: Misc command injections leading to RCE CVSS 8.1
– The affected areas were completely removed where possible (e.g., no longer supported features, printer models, etc.), and escaping/sanitation was corrected for items that could not be removed.
– Affected Web Stack only. Remediations completed.
- CVE-2021-42633: SQLi may disclose audit logs CVSS 0
– The SQLi code was never used. The offending pages were removed.
– Affected Web Stack, the VA, and SaaS. Remediations completed.
- CVE-2021-42637: Blind SSRF CVSS 4.0
– The test page causing this issue was removed.
– Affected Web Stack only. Remediations completed.
- CVE-2021-42639: Misc reflected XSS CVSS 4.0
– All RCSS vulnerabilities were identified and removed or inputs were escaped or sanitized.
– Affected Web Stack, the VA, and SaaS. Remediations completed.
- CVE-2021-42640: Driver assignment IDOR CVSS 3.8
– RBAC security was added to routes that were allowing access to sensitive objects/data.
– Affected Web Stack, the VA, and SaaS. Remediations completed.
- CVE-2021-42641: Username/email info disclosure CVSS 2.0
– RBAC security was added to routes that were allowing access to sensitive objects/data.
– Affected Web Stack, the VA, and SaaS. Remediations completed.
- CVE-2021-42642: Printer console username/password info disclosure CVSS 4.0
– RBAC security was added to routes that were allowing access to sensitive objects/data.
– Affected Web Stack, the VA, and SaaS. Remediations completed.
Affected PrinterLogic Software Versions:
- PrinterLogic Web Stack
– Version 19.1.1.13 SP9 and earlier, when operating with macOS or Linux endpoint client software. See new install and update links below.
- PrinterLogic Virtual Appliance
– Version 20.0.1304 and earlier, when operating with macOS or Linux endpoint client software.
a. Application update is required. See links below.
b. Host update not required if you have VA Host v1.0.674 or later.
- PrinterLogic SaaS
– Our SaaS platform does automatic updates. Remediations are now live worldwide. No customer action is needed.
Updated Files and Documentation
- PrinterLogic Web Stack
– Link to file for new installs
– Link to file for updates
– Online documentation for these updates
– Only admin server updates are required; no client updates are needed.
- PrinterLogic Virtual Appliance
– Online documentation and file(s) for these updates
– No client software updates are required.
Original Release: Dec 14, 2021
Overview
The Log4j vulnerability, documented in CVE-2021-44228, is a remote code execution vulnerability in Log4j. This framework is used for logging within many software solutions. The Log4j library is vulnerable to Remote Command Execution (RCE), which means a remote attacker can execute commands over the network on software that contains the vulnerable Log4j versions.
Vasion Security Response
Vasion is aware of the issue and has not found any evidence of exploitation or vulnerability with our products. Vasion products including PrinterLogic SaaS, PrinterLogic VA, and Vasion ST do not utilize, or have dependencies on, the affected Log4j libraries. Therefore, these products are not vulnerable to the referenced CVE-2021-44228.
Our security team will continue to monitor the situation. If our assessment changes, we will publish our findings and subsequent recommendations in this bulletin.
Original Release: Jul 13, 2021
Overview
PrintNightmare, documented in CVE-2021-34527, is a remote code execution vulnerability in the Windows Print Spooler. This vulnerability is exposed through specific inbound Remote Procedure Calls (RPC), which are used to add printers and related drivers. This can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.
PrinterLogic Solution
With PrinterLogic’s Managed Direct IP Printing solution, print jobs are always spooled locally using the local print spooler on the originating workstation. Since PrinterLogic does not use RPC to access the Windows Print Spooler, a PrinterLogic Managed Direct IP print environment is entirely unaffected when the mitigation steps detailed in the CVE (option 2) are followed as recommended by Microsoft. This ensures that the attack vector is closed on all machines running the Windows Print Spooler, while allowing users to continue to safely print using PrinterLogic’s Managed Direct IP solution.
Microsoft has released a patch for this vulnerability. PrinterLogic highly recommends all customers install the July 2021 Out-of-band update on all Windows systems. For details, see KB5004945 and KB5004946.
What about Point and Print?
According to Microsoft documentation, Point and Print is a term that refers to the capability of allowing a user on a Windows 2000 and later client to create a connection to a remote printer without providing disks or other installation media. All necessary files and configuration information are automatically downloaded from the print server to the client.
This specifically applies to print queues installed from a Windows print server and does not impact a user’s ability to install print queues from the PrinterLogic Self-Service Portal.
As part of the July 2021 Out-of-band update, a registry setting is checked that will restrict the installation of new unsigned printer drivers to Administrators only. Since PrinterLogic only allows signed Type 3 drivers to be used, and since the PrinterLogic Client is solely responsible for managed print driver installation, this setting will not adversely affect PrinterLogic customers.
While this registry setting does not impact a PrinterLogic Managed Direct IP environment, in accordance with security best practices, PrinterLogic still recommends that all customers enable this registry setting as recommended by Microsoft:
| Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
Value: RestrictDriverInstallationToAdministrators Type: REG_DWORD Data: 1 |
For more information, please see KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates.
Caveats
Printers that are configured as shared printers or with Windows Print Server Links will cease to function properly if inbound remote printing is disabled on the Windows print server. PrinterLogic highly recommends that these printers be converted to Managed Direct IP print queues to avoid this and future Windows Print Spooler vulnerabilities.
References
Security Update Guide – Microsoft Security Response Center – CVE-2021-34527
VU#383432 – Microsoft Windows Print Spooler allows for RCE via AddPrinterDriverEx()
KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates
July 6, 2021—KB5004945 (OS Builds 19041.1083, 19042.1083, and 19043.1083) Out-of-band
July 6, 2021—KB5004946 (OS Build 18363.1646) Out-of-band
Introduction to Point and Print – Windows drivers
Original Release: May 3, 2019 | Last Revised: May 9, 2019
Description
Using an exploit to forcibly update configuration data, the PrinterLogic Client can be directed to bypass HTTPS hardening or directed to another PrinterLogic Server. The PrinterLogic Client does not correctly verify the origin and integrity of updates. An attacker who successfully exploits these vulnerabilities could run arbitrary code in the context of the Local System Account.
Solution
CVE-2018-5408
This solution prevents Man-in-the-Middle (MITM) attacks where bad actors may attempt to spoof a trusted entity by tricking the PrinterLogic Server into connecting to a malicious host. To reduce any attempt at MITM attacks, you must configure your PrinterLogic Server to use the HTTPS protocol as described below:
1. Follow the steps outlined here: HTTP and HTTPS Configuration Steps.
2. Next, make sure your homeURL is updated to HTTPS. For more information, see Update the Client’s HomeURL.
3. In addition, you need to apply the client update described below to secure your PrinterLogic environment.
CVE-2018-5409, CVE-2019-9505
This solution addresses vulnerabilities related to properly verifying the origin and integrity of the PrinterLogic Client code, as well as sanitizing special characters that could lead to unauthorized changes to configuration files. To address these issues, apply the latest PrinterLogic software update as described below:
1. Download the update from: PrinterLogic Security Update.
2. On the PrinterLogic Server, navigate to C:\inetpub\wwwroot\public\client\setup.
3. Make a backup copy of your existing PrinterLogic Client files before replacing them.
4. Copy and replace the PrinterLogic Client installation files with the new files provided in the download.
5. Navigate to your PrinterLogic Admin Console and enable the automatic update option to update your clients. If you want to push out the clients via GPO or using a software deployment tool, follow these instructions.
6. To validate the update, check to see that the client for each workstation has been updated to the new version by navigating to Tools → Reports → Workstations from the PrinterLogic Admin Console. Click Search to run a report for workstations in your environment. Verify that the numbers in the Client Version column are at least as recent as the numbers shown below
– Windows: 25.0.0.49 or higher
– Mac: 25.1.0.274 or higher
– Linux: 25.1.0.274 or higher
If you have questions about these solutions, contact PrinterLogic Product Support for assistance.