Security Bulletin

PrinterLogic maintains a robust security program as an ISO 27001:2013 and SOC2 Type 2 certified solution to promptly address any and all security vulnerabilities when discovered. Meeting the ISO standard involves an extensive process of becoming ISO-compliant to better meet our customers’ business, legal, and regulatory requirements. As a globally-recognized security program, maintaining an ISO certification shows a commitment to executing high-quality security practices and improving our security posture through defined processes and documentation.

Our security policies are articulated here that details these certifications as well as the approach to:

  • Physical Security
  • Network Security
  • Application Security
  • Training
  • Data Protection

Our Vasion Trust Center describes in detail the security tests we’ve run, the polices that we apply and adhere to, as well as a number of monitoring tests we regularly run.

Bulletins

  • 2025
  • 2024
  • 2023
  • 2022
  • 2021

Content to be added in 2025. For previous years, select the corresponding tab above.

November

V-2024-021 — Inadequate Secure Configuration Documentation

  • CVSS: 4.7
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.1026 / Application v20.0.2702
  • CWE: 1059
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

September 2024

V-2024-016 — Cross-Site Scripting

  • CVSS: 3.9
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.1002 / Application v20.0.2614
  • CWE: 79
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

August 2024

V-2024-013 — Hardcoded Password

  • CVSS: 2.0
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.1002 / Application v20.0.2614
  • CWE: 798
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

V-2024-014 — Outdated Dependencies

  • CVSS: 4.8
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.1002 / Application v20.0.2614
  • CWE: 1395
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

V-2024-015 — Privilege Escalation

  • CVSS: 4.3
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.1002 / Application v20.0.2614
  • CWE: 784
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

V-2024-012 — SQL Injection

  • CVSS: 6.7
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.1002 / Application v20.0.2614
  • CWE: 89
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

June 2024

V-2024-009 — Unauthenticated APIs for Single-Sign On

  • CVSS: 7.3
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.951 / Application v20.0.2368
  • CWE: 306
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

May

V-2024-008 — Unauthenticated Driver Package Editing

  • CVSS: 7.3
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.933 / Application v20.0.2368
  • CWE: 306
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

April

V-2024-006 — Hardcoded AWS API Key

  • CVSS: 1.9
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.933 / Application v20.0.2368
  • CWE: 798
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

V-2024-007 — Local Privilege Escalation

  • CVSS: 4.7
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.933 / Application v20.0.2368
  • CWE: 306
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

March 2024

V-2024-005 — Insecure Extension Installation

  • CVSS: 2.9
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.933 / Application v20.0.2368
  • CWE: 650
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

February

CVE-2024-21626

Vasion has taken the necessary steps to remediate any vulnerabilities associated with CVE-2024-21626.

  • Security Risk: High.
  • Incidents: There have been no instances of this vulnerability seen or reported.
  • Impact: Vasion Print (Formerly PrinterLogic SaaS), Virtual Appliance.
  • Status: Fixed in Vasion Print (Formerly PrinterLogic SaaS), Virtual Appliance.
  • Vulnerability Description: Container breakout vulnerability, commonly known as "Leaky Vessel Vulnerability."

Investigation and Remediation

Vasion has taken the necessary steps to remediate any container breakout vulnerabilities associated with CVE-2024-21626, commonly known as the “Leaky Vessel Vulnerability.”

V-2024-001 — Edit User Account Exposure

  • CVSS: 10.0
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.913 / Application v20.0.2253
  • CWE: 200
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

V-2024-002 — Addition of Partial Admin Users Without Authentication

  • CVSS: 10.0
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.913 / Application v20.0.2253
  • CWE: 200
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

V-2024-003 — Cross Tenant Password Exposure

  • CVSS: 10.0
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.913 / Application v20.0.2253
  • CWE: 200
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

September

V-2023-016 — Incorrect Access Control: PHP

  • CVSS: 7.6
  • Impact: Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.893 / Application v20.0.2140
  • CWE: 284
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

July

Vasion remediated three vulnerabilities within the Windows Client related to the following CVEs. Follow the instructions in the Investigation and Remediation section below to address these security concerns.

CVE-2023-33704

A vulnerability was discovered in the Vasion Windows Client installation process. Vasion has completed remediation for CVE-2023-33704 via an updated Windows Client package.

  • Security Risk: Low.
  • Incidents: There have been no instances of this vulnerability seen or reported.
  • Impact: Vasion Print (formerly PrinterLogic SaaS), Virtual Appliance, and Web Stack.
  • Status: Fixed in Vasion Print (formerly PrinterLogic SaaS), Virtual Appliance, and Web Stack.
  • Vulnerability Description: The Vasion Windows Client before Version 25.0.0.897 allows attackers to install print drivers from arbitrary hosts using named pipe token impersonation.

CVE-2023-32232

A security vulnerability was discovered in the Vasion Windows Client installation process. Vasion has completed remediation for CVE-2023-32232 via an updated Windows Client package.

  • Security Risk: Low.
  • Incidents: There have been no instances of this vulnerability seen or reported.
  • Impact: Vasion Print (formerly PrinterLogic SaaS), Virtual Appliance, and Web Stack.
  • Status: Fixed in Vasion Print (formerly PrinterLogic SaaS), Virtual Appliance, and Web Stack.
  • Vulnerability Description: The Vasion Windows Client before Version 25.0.0.864 allows attackers to spawn a System command prompt during the install/repair function.

CVE-2023-32231

A security vulnerability was discovered in the Vasion Windows Client installation process. Vasion has completed remediation for CVE-2023-32231 via an updated Windows Client package.

  • Security Risk: Low.
  • Incidents: There have been no instances of this vulnerability seen or reported.
  • Impact: Vasion Print (formerly PrinterLogic SaaS), Virtual Appliance, and Web Stack.
  • Status: Fixed in Vasion Print (formerly PrinterLogic SaaS), Virtual Appliance, and Web Stack.
  • Vulnerability Description: The Vasion Windows Client before Version 25.0.0.864 allows attackers to execute Dynamic Link Library (DLL) hijacking. A non-admin user could create malicious DLLs and access them during installation, granting them code execution as System.

Investigation and Remediation

Remediate the three vulnerabilities above by updating the Vasion Windows Client to Version 25.0.0.897 or later.

  • For Vasion Print (formerly PrinterLogic), reference Client Updates for steps on updating the Client.
  • For Virtual Appliance, update to Application build 20.0.1923+ which includes later Client versions. Reference Application Update for more information about updating. After the application update, reference Client Updates for steps on updating the Client.
  • For Web Stack, the latest Client download is here.
  • If you prefer to push the new Windows Client via third-party software, you’ll find the Client installation package (MSI) here.

June 2023

V-2023-013 — Private Keys in Docker Overlay

  • CVSS: 5.1
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.862 / Application v20.0.2014
  • CWE: 321
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

V-2023-014 — Server-Side Request Forgery: Elatec

  • CVSS: 6.8
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.862 / Application v20.0.2014
  • CWE: 918
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

V-2023-015 — Server-Side Request Forgery: rfIDEAS

  • CVSS: 7.5
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.862 / Application v20.0.2014
  • CWE: 918
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

V-2023-012 — Preauthenticated Cross Site Scripting (XSS): Badge Registration

  • CVSS: 6.7
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.862 / Application v20.0.2014)
  • CWE: 79
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

V-2023-017 — Cross Site Scripting (XSS)

  • CVSS: 5.1
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.862 / Application v20.0.2014
  • CWE: 79
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

V-2023-009 — Server-Side Request Forgery: CPA v1

  • CVSS: 3.9
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.862 / Application v20.0.2014
  • CWE: 918
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

V-2023-011 — Password Stored in Process List

  • CVSS: 5.1
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.862 / Application v20.0.2014
  • CWE: 798
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

V-2023-008 — Remote Code Execution

  • CVSS: 7.6
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.843 / Application v20.0.1923
  • CWE: 306
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

May

Vasion has already taken steps to remediate the following OVEs. These were reported in February 2023 on an older product version. Since then, we have since blocked possible entryways for an attack.

Vasion applies the ‘Security Risk’ category and indicates our response to the finding. It does not imply a significant risk but is our prioritization of the issue. In most cases, the actual risk is low. Nevertheless, we remain committed to removing vulnerabilities and ensuring the security of our customer's environments.

These issues apply to Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance, and are called out in each OVE below. For PrinterLogic SaaS, resolutions and fixes are applied in production as soon as they are available. For the Virtual Appliance fixes will be applied with the next update, Host build 22.0.843 and Application build 20.0.1923 released in June 2023.

OVE-20230524-0001 - Authentication Bypass

  • Security Risk: Low.
  • Incidents: There have been no instances of this vulnerability seen or reported.
  • Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
  • Status: Fixed in Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
  • Vulnerability Description: Individual PHP files must consistently implement authentication and authorization checks. However, specific administrative files were missing authentication checks which could allow unauthenticated access to administrative scripts via their direct URLs.
  • Investigation and Remediation/Response: Most vulnerable routes had already been corrected since the version these tests were run against or were already implementing security appropriate for the route. However, we continue to investigate any possible vulnerabilities of this nature and are implementing more comprehensive security measures to prevent potential future vulnerabilities.

OVE-20230524-0002 - SQL Injection

  • Security Risk: High.
  • Incidents: There have been no instances of this vulnerability seen or reported.
  • Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
  • Status: Fixed in Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
  • Vulnerability Description: The application does not use parameterized queries when retrieving data. Instead, it uses a custom DAO framework that utilizes several escaping functions that attempt to prevent SQL injection using various string handling functions. The specifically identified vulnerable function is not used with user-supplied data and cannot be abused. All other identified injection points had already been identified and corrected since the version these tests were performed against.
  • Investigation and Remediation/Response: The development process enforces investigation to identify any missing protection on existing pages. All new pages use parameterized queries which protects against future SQL injection points.

OVE-20230524-0003 - Cross Site Scripting

  • Security Risk: High.
  • Incidents: There have been no instances of this vulnerability seen or reported.
  • Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
  • Status : Fixed in Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
  • Vulnerability Description: There were several instances of cross-site scripting identified in the application. ​These could be used with other vulnerabilities to gain access to protected content. To be successful, the user with privileged rights would have to follow a link from a malicious actor.
  • Investigation and Remediation/Response: Individual protection on each page/process has been replaced with a global sanitization script that will remove all instances of cross-site scripting currently and prevent future instances from occurring.

OVE-20230524-0004 - Session Fixation

  • Security Risk: Low.
  • Incidents: There have been no instances of this vulnerability seen or reported.
  • Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
  • Status: The PrinterLogic security team has assessed this report and found it not to be valid (see Investigation and Remediation/Response below).
  • Vulnerability Description: The /admin/query/verify-login.php script did not issue a new session identifier after login. The concern is that an attacker could prime a known session ID for a user via Cross-Site Scripting (XSS), a phishing or watering hole attack, and then later access the application using the known session ID to bypass authentication.
  • Investigation and Remediation/Response: The issue has already been corrected; no changes would cause it to return in future updates.

OVE-20230524-0005 - Password in URL

  • Security Risk: Medium.
  • Incidents: There have been no instances of this vulnerability seen or reported.
  • Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
  • Status: Fixed in Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
  • Vulnerability Description: It is possible to log in using query parameters. However, this allows passwords to leak to third parties via referrer headers, browser history, server logs, proxy logs, URL shortening services, etc. These passwords are encoded in the URL, but there is a risk that allows decoding to plain text.
  • Investigation and Remediation/Response: While the software allows query parameters for logging in, no existing functionality uses query parameters for that purpose. As such, this is only a vulnerability if a user manually enters their username and password as part of the URL in the browser. The routes have been changed to disallow query parameters to prevent possible use.

OVE-20230524-0007 - Weak Password Encryption / Encoding

  • Security Risk: Medium.
  • Incidents: There have been no instances of this vulnerability seen or reported.
  • Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
  • Status: Fixed in Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
  • Vulnerability Description: The application appeared to store passwords using unsalted SHA1 hashing and transmitting authentication data using a custom double base64 encoding.
  • Investigation and Remediation/Response: SHA1 has not been actively used in many years, but code remained for backward compatibility to authenticate against legacy passwords initially stored with a SHA1 hash. As such, there is no current vulnerability around SHA1 hashes, but we are removing support for SHA1 entirely, as backward compatibility is no longer needed.
  • The double-encoded credentials were never intended to be irreversible, nor were the primary line of defense. Therefore, the uses of these credentials are limited to post parameters where the primary security is in the use of the HTTPS protocol.

OVE-20230524-0008 - Insufficient CSRF Protection

  • Security Risk: Low.
  • Incidents: There have been no instances of this vulnerability seen or reported.
  • Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance
  • Status: Fixed in Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
  • Vulnerability Description: The application does not enforce CSRF checks for the majority of its forms, even for the requests that have a value present in a header, cookie, or form; testing found that changing or removing the value had no actual impact on the success of the operation.
  • Investigation and Remediation/Response: The remediation process for this vulnerability has been successfully completed. However, we will continue to monitor and address any potential CSRF issues. Our ongoing efforts focus on securing the most critical legacy routes and protecting them against CSRF attacks. It is important to note that newly developed routes already incorporate CSRF checks as a standard security measure.

OVE-20230524-0009 - Insufficient Antivirus Protection

  • Security Risk: Low.
  • Incidents: There have been no instances of this vulnerability seen or reported.
  • Impact: Not applicable
  • Status: The PrinterLogic security team has assessed this report and found it not to be valid (see Investigation and Remediation/Response below).
  • Vulnerability Description: Printer drivers are manually uploaded by admins and assigned to printers. In addition, the PrinterLogic application allows drivers containing known malicious code to be uploaded.
  • Investigation and Remediation/Response - Cryptographic signatures are checked at the time of installation, and drivers without that validation will not be able to be used within PrinterLogic. Anti-virus software installed on the end user’s machine is responsible for the desired anti-virus detection level. We do not attempt to bypass any security on the system.

OVE-20230524-0010 - Insufficient Authorization Checks

  • Security Risks: Critical.
  • Incidents: There have been no instances of this vulnerability seen or reported.
  • Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
  • Status: Fixed in Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
  • Vulnerability Description: While the application supports several user levels, most of the individual PHP scripts do not implement granular access control based on roles and do not check RBAC rights but simply rely on an authentication check.
  • Investigation and Remediation/Response: No specific PHP scripts were identified in this vulnerability as having inappropriate authentication checks. However, the remediation is ongoing as we re-examine each script to ensure RBAC checks are applied correctly when appropriate.

OVE-20230524-0011 - Administrative User Email Enumeration

  • Security Risk: Low.
  • Incidents: There have been no instances of this vulnerability seen or reported.
  • Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
  • Status: The PrinterLogic security team has assessed this report and found it not to be valid (see Investigation and Remediation/Response below).
  • Vulnerability Description: The forgot password function will confirm whether an email address exists and can be used to enumerate users/emails.
  • Investigation and Remediation/Response: This vulnerability was already fixed in versions released since the version these tests were run against.

OVE-20230524-0012 - Arbitrary Content Inclusion via Iframe

  • Security Risk: Critical.
  • Incidents: There have been no instances of this vulnerability seen or reported.
  • Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
  • Status: Fixed in Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
  • Vulnerability Description: An arbitrary iframe URL could redirect the application using a ‘frame busting technique’ and then execute JavaScript or initiate file downloads from an untrusted source. This attack would only be successful if a user is deceived into following a link from a malicious actor and then further tricked into executing the downloaded unsafe content.
  • Investigation and Remediation/Response: This ability to redirect has been removed.

OVE-20230524-0013 - Remote Network Scanning (XSPA)/DoS

  • Security Risk: High.
  • Incidents: There have been no instances of this vulnerability seen or reported.
  • Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
  • Status: Fixed in Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
  • Vulnerability Description: There are several PHP files that will initiate connections to a user-defined third-party server using LDAP protocols. This could be used to reach internal cloud services. No known exploits are possible from these pages, which simply test connectivity. Still, it might be possible to gain some form of information about internal resources or attempt to tie up internal resources which might lead to DoS conditions.
  • Investigation and Remediation/Response: For those using SaaS, this does not impact your internal network or security. Remediation has been developed to prevent unauthorized users from running connection tests and restrict user-defined addresses to strictly avoid connection attempts to internal cloud resources.

OVE-20230524-0014 - Insufficient Signature Validation

  • Security Risk: Low.
  • Incidents: There have been no instances of this vulnerability seen or reported.
  • Impact: Not applicable
  • Status: The PrinterLogic security team has assessed this report and found it not to be valid (see Investigation and Remediation/Response below).
  • Vulnerability Description: Printer drivers are manually uploaded by admins and assigned to printers. The PrinterLogic application allows drivers to be uploaded that are not cryptographically signed with valid certificates from a trusted authority.
  • Investigation and Remediation/Response: Cryptographic signatures are checked at the time of installation, and drivers without that validation will not be able to be used within PrinterLogic.

OVE-20230524-0015 - Device Impersonation

  • Security Risk: Low.
  • Incidents: There have been no instances of this vulnerability seen or reported.
  • Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
  • Status: The PrinterLogic security team has assessed this report and found it not to be valid (see Investigation and Remediation/Response below).
  • Vulnerability Description: The Authorized Devices page with OAUTH tokens could be spoofed by renaming a host and impacting another authorized device's record in at least one place..
  • Investigation and Remediation/Response: A machine name identifies Authorized Devices and is an alias to indicate the device that's now been authorized for you in the system. This name is not functional and can’t be used maliciously. However, if a malicious actor already has access to your system, there are other ways within the software to accurately identify the device using its current name, IP address, etc.

OVE-20230524-0016 - OAUTH Security Bypass

  • Security Risk: High.
  • Incidents: There have been no instances of this vulnerability seen or reported.
  • Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
  • Status: Fixed in Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
  • Vulnerability Description: This is a vulnerability where an already authenticated user may use their valid OAUTH credential to impersonate another user. This impersonation is limited exclusively to the ability to see another user’s held print jobs. This could allow a print job to be released early or to an alternative printer. This would not allow any digital access to the contents of any job. Additionally, this would not allow access to any information about current or previously printed jobs.

  • Investigation and Remediation/Response: This vulnerability is only possible if a malicious actor has already been granted access to the self-service portal and print job release portal using their identity. They would also need physical printer access to retrieve a document, as no digital access is possible.

    A setting in Vasion Print (formerly PrinterLogic SaaS) (also included in the next Virtual Appliance release) titled Enable "Automatic Self-service Portal and Release Portal" login has been added to the Portal Settings. This setting allows you to choose if end users remain logged into the Self-service and Release portals or if you want to require users to log in each time they wish to install a printer or release a job. This setting provides an additional option to increase security by requiring end users to log in, but it allows our existing customers not to be disrupted in how their end users interact with the Self-service and Release Portals today.

OVE-20230524-0017 - Cookie Returned in Response Body

  • Security Risk: Critical.
  • Incidents: There have been no instances of this vulnerability seen or reported.
  • Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
  • Status: Fixed in Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
  • Vulnerability Description: The URL /admin/cookies return the cookie values in the page body. This breaks the HTTPOnly cookie security control used to prevent JavaScript from accessing the cookie values during a session hijacking attack. This would allow a bad actor to impersonate the user and gain access to the console maliciously.
  • Investigation and Remediation/Response: On its own, this vulnerability cannot be exploited. It must be used in conjunction with another vulnerability. We are working on measures to remove this URL.

OVE-20230524-0018 - Known Vulnerable Components in Use

  • Security Risk: Medium.
  • Incidents: There have been no instances of this vulnerability seen or reported.
  • Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
  • Status: Fixed in Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
  • Vulnerability Description: Third-party JavaScript libraries can introduce a range of DOM-based vulnerabilities, including some that can be used to hijack user accounts like DOM-XSS.
  • Investigation and Remediation/Response: The PrinterLogic application has no known vulnerabilities or exploit methods associated with its libraries. However, to further minimize potential risks, there is a continuous effort to keep all software utilized by PrinterLogic updated to the latest available versions. Older versions are identified and replaced with newer versions as they approach their End-of-Life (EOL) phase. This ongoing development ensures that PrinterLogic consistently incorporates the most up-to-date libraries, fostering a secure and reliable environment.

April

V-2023-007 — Supply Chain Attack

  • CVSS: 5.0
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.843 / Application v20.0.1923
  • CWE: 1361
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

March

V-2023-006 — Hardcoded IdP Key

  • CVSS: 1.8
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.843 / Application v20.0.1923
  • CWE: 321
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

V-2023-004 — Vulnerable OpenID Implementation

  • CVSS: 2.6
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.843 / Application v20.0.1923
  • CWE: 284
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

February

V-2023-002 — Cross-Site Scripting in Reports

  • CVSS: 5.3
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.843 / Application v20.0.1923
  • CWE: 79
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

V-2022-002 — Symbolic Links Allow Unprivileged File Interaction

  • CVSS: 3.2
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.843 / Application v20.0.1923
  • CWE: 250
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

V-2023-003 — Dead / Insecure PHP Code

  • CVSS: 3.1
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.843 / Application v20.0.1923
  • CWE: 561
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

V-2023-001 — Client Remote Code Execution

  • CVSS: 4.7
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.843 / Application v20.0.1923
  • CWE: 269
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

V-2023-005 — Cross-Site Scripting in Badge Registration

  • CVSS: 5.6
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v22.0.843 / Application v20.0.1923
  • CWE: 79
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

August

CVE-2022-32427

Recently, a security vulnerability was discovered in the Vasion Windows Client driver installation process. Vasion has completed remediation for CVE-2022-32427 via an updated Windows Client package.

Vulnerability Description

The Vasion Windows Client on or before Version 25.0.0.676 allows attackers to execute directory traversal. Authenticated users with prior knowledge of the driver filename could exploit this to escalate privileges or distribute malicious content.

Investigation and Remediation

Remediate the this vulnerability by updating the Vasion Windows Client to Version 25.0.0.688 or later.

  • For Vasion Print (formerly PrinterLogic), reference Client Updates for steps on updating the Client.
  • For Virtual Appliance, update to Application build 20.0.1533+ which includes later Client versions. Reference Application Update for more information about updating. After the application update, reference Client Updates for steps on updating the Client.
  • For Web Stack, the latest Client download is here.
  • If you prefer to push the new Windows Client via third-party software, you’ll find the Client installation package (MSI) here.

April

V-2024-004 — Insecure Firmware Image

  • CVSS: 5.1
  • Impact: Remediated in Vasion Print, Virtual Appliance Host v1.0.750 / Application v20.0.1442
  • CWE: 345
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

CVE-2022-22965

A security vulnerability that affects VMware products was reported in CVE-2022-22965. The issue does not impact Vasion software.

Vulnerability Description

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The exploit requires the application to run on Tomcat as a WAR deployment.

Investigation and Remediation

While some customers run their VasionVirtual Appliance on VMware hypervisors, the Virtual Appliance is not at risk. Information about remediations for VMware software is available here.

March

CVE-2021-44142

An out-of-bounds vulnerability assigned to CVE-2021-44142 was recently disclosed in Samba versions prior to 4.13.17. This flaw involves an out-of-bounds heap read-write event in which remote attackers could execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit. The PrinterLogic Virtual Appliance is susceptible to this vulnerability and was remediated. This issue does not affect Vasion Print (formerly PrinterLogic SaaS).

Vulnerability Description

Samba is an implementation of SMB protocol that provides file and printer interoperability for Windows platforms over the network. It is a widely installed software package, and many Linux-based IoT and network devices include publicly open SMB services by default.

The specific flaw exists in EA metadata parsing when opening files in smbd, the Samba server daemon that provides file sharing and printing services to Windows clients. Access as a user with write access to a file’s extended attributes is required to exploit this vulnerability. A guest or unauthenticated user could do this if they are allowed write access to file extended attributes.

The problem in vfs_fruit exists in the default configuration of the fruit VFS module using fruit:metadata=netatalk or fruit:resource=file. If both options are set to settings other than the default values, the security issue does not affect the system. The VasionVirtual Appliance Host has vfs_fruit enabled and required remediation.

Investigation and Remediation

Vasion has removed the VA_Fruit module from Virtual Appliance. Therefore, we recommend that Virtual Appliance customers with host versions 1.0.735 and earlier update their Virtual Appliance Host, which includes the latest application release. This update includes other new functionality as well described in the release notes. You can find release notes for our Virtual Appliance in our 2022 Release Notes topic.

February

V-2022-004 — Client Inter-process Security

  • CVSS: 5.5
  • Impact: Remediated in Vasion Print (formerly PrinterLogic), Virtual Appliance Host v1.0.735 / Application v20.0.1330
  • CWE: 94
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

V-2022-005 — Insecure Log Permissions

  • CVSS: 4.8
  • Impact: Remediated in Vasion Print (formerly PrinterLogic), Virtual Appliance Host v1.0.735 / Application v20.0.1330
  • CWE: 280
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

V-2022-006 — Driver Upload Security

  • CVSS: 5.1
  • Impact: Remediated in Vasion Print (formerly PrinterLogic), Virtual Appliance Host v1.0.735 / Application v20.0.1330
  • CWE: 434
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

V-2022-003 — Debug Bundle Contains Sensitive Data

  • CVSS: 4.3
  • Impact: Remediated in Vasion Print (formerly PrinterLogic), Virtual Appliance Host v1.0.735 / Application v20.0.1330
  • CWE: 200
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

CVE-2021-4034

In late January, Vasion became aware of a vulnerability that affects many Linux distributions. As a result, the company has completed remediations in its Vasion Print (formerly PrinterLogic SaaS) and Virtual Appliance platforms.

Vulnerability Description

Polkit (formerly known as PolicyKit) is a systemd SUID-root program installed by default in every major Linux distribution. The pkexec application is a setuid tool that allows unprivileged users to run commands as privileged users according to predefined policies.

In the version of Polkit that resulted in this vulnerability discovery, the pkexec application doesn’t handle the calling parameters count correctly and ends by trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables to induce pkexec to execute arbitrary code. This can escalate local privilege and give unprivileged users administrative rights on the target machine.

A new version of Polkit was released that addresses this vulnerability. You can find more information in the CVE-2021-4034 document.

Investigation and Remediation

Vasion completed its investigation to determine how this vulnerability affects Vasion Print (formerly PrinterLogic SaaS) and Virtual Appliance. It was found that servers for both platforms contained the affected version of Polkit.

A patch is in place for both Vasion products with the latest version of Polkit recommended by Linux (0.105-20 Ubuntu 0.18.04.05 changed to 0.105-20 Ubuntu 0.18.04.06).

Because Vasion Print (formerly PrinterLogic SaaS) updates occur automatically, this remediation is already live.

Virtual Appliance customers with host versions 1.0.730 and earlier will need to update their Virtual Appliance host, including the latest application release. You can find release notes in our Release Notes topic.

January

V-2022-001 — Configuration File Contains CA & Private Key

  • CVSS: 4.0
  • Impact: Remediated in Vasion Print (formerly PrinterLogic), Virtual Appliance Host v1.0.735 / Application v20.0.1330
  • CWE: 321
  • Credit: This vulnerability was reported to Vasion by Pierre Barre.

CVEs

Recently, security vulnerabilities were discovered in Web Stack versions 19.1.1.13 SP9 and below. Vasion has completed corrective measures to remediate each vulnerability, and updates are available now for Web Stack and the Virtual Appliance. Updates occurred automatically with Vasion Print (formerly PrinterLogic) and are live worldwide. A summary of the vulnerabilities and corrective actions Vasion has taken are below. Links to the respective CVEs will be added once they are available.

CVE-2021-42631

  • Status: Fixed in Vasion Print (formerly PrinterLogic), Virtual Appliance, and Web Stack.
  • Vulnerability Description: CVE-2021-42631, Object Injection leading to RCE CVSS 8.1.
  • Investigation and Remediation/Response: The affected endpoints were reorganized so they no longer use objects passed as parameters (removing the vulnerability). The vulnerable function “unserialize()” is no longer used.

CVE-2021-42633

  • Status: Fixed in Vasion Print (formerly PrinterLogic), Virtual Appliance, and Web Stack.
  • Vulnerability Description: CVE-2021-42633, SQLi may disclose audit logs CVSS 0.
  • Investigation and Remediation/Response: The SQLi code was never used. The offending pages were removed.

CVE-2021-42639

  • Status: Fixed in Vasion Print (formerly PrinterLogic), Virtual Appliance, and Web Stack.
  • Vulnerability Description: CVE-2021-42639, misc reflected XSS CVSS 4.0.
  • Investigation and Remediation/Response: All RCSS vulnerabilities were identified and removed or inputs were escaped or sanitized.

CVE-2021-42640

  • Status: Fixed in Vasion Print (formerly PrinterLogic), Virtual Appliance, and Web Stack.
  • Vulnerability Description: CVE-2021-42640, driver assignment IDOR CVSS 3.8.
  • Investigation and Remediation/Response: RBAC security was added to routes that were allowing access to sensitive objects/data.

CVE-2021-42641

  • Status: Fixed in Vasion Print (formerly PrinterLogic), Virtual Appliance, and Web Stack.
  • Vulnerability Description: CVE-2021-42641, username/email info disclosure CVSS 2.0.
  • Investigation and Remediation/Response: RBAC security was added to routes that were allowing access to sensitive objects/data.

CVE-2021-42642

  • Status: Fixed in Vasion Print (formerly PrinterLogic), Virtual Appliance, and Web Stack.
  • Vulnerability Description: CVE-2021-42642, printer console username/password info disclosure CVSS 4.0.
  • Investigation and Remediation/Response: RBAC security was added to routes that were allowing access to sensitive objects/data.

Remediation

  • Vasion Print (formerly PrinterLogic): Our SaaS platform performs automatic updates. Remediations are live worldwide. No customer action is needed.
  • Virtual Appliance: Upgrade to Host build 1.0.711+ which includes an updated Application version.
  • Web Stack: Upgrade to 19.1.1.13 SP10-2.

The Web Stack solution has reached EOL, customers using Web Stack should reach out to their Vasion representative to discuss migration to Vasion Print (formerly PrinterLogic) or the Virtual Appliance solutions.

December

CVE-2021-44228

The Log4j vulnerability, documented in CVE-2021-44228, is a remote code execution vulnerability in Log4j. This framework is used for logging within many software solutions. The Log4j library is vulnerable to Remote Command Execution (RCE), which means a remote attacker can execute commands over the network on software that contains the vulnerable Log4j versions.

Investigation and Remediation

Vasion is aware of the issue and has not found any evidence of exploitation or vulnerability with our products. Additionally, Vasion products, including Vasion Print (formerly PrinterLogic SaaS), Virtual Appliance, and Vasion ST, do not depend on the affected Log4j libraries. Therefore, these products are not vulnerable to the referenced CVE-2021-44228.

Our security team will continue to monitor the situation. If our assessment changes, we will publish our findings and recommendations in this bulletin.

July

CVE-2021-34527

PrintNightmare, documented in CVE-2021-34527, is a remote code execution vulnerability in the Windows Print Spooler. This vulnerability is exposed through specific inbound Remote Procedure Calls (RPC), which are used to add printers and related drivers. This can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.

Vasion Solution

With Vasion Print's (formerly PrinterLogic SaaS) Managed Direct IP Printing solution, print jobs are always spooled locally using the local print spooler on the originating workstation. Since Vasion Print (formerly PrinterLogic) does not use RPC to access the Windows Print Spooler, a Vasion Print (formerly PrinterLogic) Managed Direct IP print environment is entirely unaffected when the mitigation steps detailed in the CVE (option 2) are followed as Microsoft recommends. This ensures the attack vector is closed on all machines running the Windows Print Spooler while allowing users to continue safely printing using Vasion Print (formerly PrinterLogic)’s Managed Direct IP solution.

Microsoft has released a patch for this vulnerability. Vasion highly recommends all customers install the July 2021 Out-of-band update on all Windows systems. For details, see KB5004945 and KB5004946.

What about Point and Print?

According to Microsoft documentation, Point and Print is a term that refers to the capability of allowing a user on a Windows 2000 and later client to create a connection to a remote printer without providing disks or other installation media. Instead, all necessary files and configuration information are automatically downloaded from the print server to the client.

This applies explicitly to print queues installed from a Windows print server and does not impact users' ability to install print queues from the Vasion Print (formerly PrinterLogic)Self-service Portal.

As part of the July 2021 Out-of-band update, a registry setting is checked to restrict the installation of new unsigned printer drivers to Administrators only. Since Vasion Print (formerly PrinterLogic) only allows signed Type 3 drivers to be used and the Vasion Print (formerly PrinterLogic)Client is solely responsible for managed print driver installation, this setting will not adversely affect Vasion customers.

While this registry setting does not impact a Vasion Print (formerly PrinterLogic) Managed Direct IP environment, following security best practices, Vasion still recommends that all customers enable this registry setting as recommended by Microsoft:

  • Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
  • Value: RestrictDriverInstallationToAdministrators
  • Type: REG_DWORD
  • Data: 1

Caveats

Printers configured as shared printers or with Windows Print Server Links will cease to function properly if inbound remote printing is disabled on the Windows Print server. Therefore, Vasion recommends converting these printers to Managed Direct IP print queues to avoid this and future Windows Print Spooler vulnerabilities.

References