Security Bulletin

July

Vasion remediated three vulnerabilities within the Windows Client related to the following CVEs. Follow the instructions in the Investigation and Remediation section below to address these security concerns.

CVE-2023-33704

A vulnerability was discovered in the Vasion Windows Client installation process. Vasion has completed remediation for CVE-2023-33704 via an updated Windows Client package.

• Security Risk: Low.
• Incidents: There have been no instances of this vulnerability seen or reported.
• Impact: Vasion Print (formerly PrinterLogic SaaS), Virtual Appliance, and Web Stack.
• Status: Fixed in Vasion Print (formerly PrinterLogic SaaS), Virtual Appliance, and Web Stack.
• Vulnerability Description: The Vasion Windows Client before Version 25.0.0.897 allows attackers to install print drivers from arbitrary hosts using named pipe token impersonation.

CVE-2023-32232

A security vulnerability was discovered in the Vasion Windows Client installation process. Vasion has completed remediation for CVE-2023-32232 via an updated Windows Client package.

• Security Risk: Low.
• Incidents: There have been no instances of this vulnerability seen or reported.
• Impact: Vasion Print (formerly PrinterLogic SaaS), Virtual Appliance, and Web Stack.
• Status: Fixed in Vasion Print (formerly PrinterLogic SaaS), Virtual Appliance, and Web Stack.
• Vulnerability Description: The Vasion Windows Client before Version 25.0.0.864 allows attackers to spawn a System command prompt during the install/repair function.

CVE-2023-32231

A security vulnerability was discovered in the Vasion Windows Client installation process. Vasion has completed remediation for CVE-2023-32231 via an updated Windows Client package.

• Security Risk: Low.
• Incidents: There have been no instances of this vulnerability seen or reported.
• Impact: Vasion Print (formerly PrinterLogic SaaS), Virtual Appliance, and Web Stack.
• Status: Fixed in Vasion Print (formerly PrinterLogic SaaS), Virtual Appliance, and Web Stack.
• Vulnerability Description: The Vasion Windows Client before Version 25.0.0.864 allows attackers to execute Dynamic Link Library (DLL) hijacking. A non-admin user could create malicious DLLs and access them during installation, granting them code execution as System.

Investigation and Remediation

Remediate the three vulnerabilities above by updating the Vasion Windows Client to Version 25.0.0.897 or later. Release notes for Client versions are available here.

• For Virtual Appliance, reference Client Updates for steps on updating the Client.
• For Virtual Appliance, update to Application build 20.0.1923+ which includes later Client versions. Reference Application Updates for more information about updating. After the application update, reference Client Updates for steps on updating the Client.
• For Web Stack, the latest Client download is here.
• If you prefer to push the new Windows Client via third-party software, you’ll find the Client installation package (MSI) here.

May

Vasion has already taken steps to remediate the following OVEs. These were reported in February 2023 on an older product version. Since then, we have since blocked possible entryways for an attack.

Vasion applies the ‘Security Risk’ category and indicates our response to the finding. It does not imply a significant risk but is our prioritization of the issue. In most cases, the actual risk is low. Nevertheless, we remain committed to removing vulnerabilities and ensuring the security of our customer's environments.

These issues apply to Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance, and are called out in each OVE below. For PrinterLogic SaaS, resolutions and fixes are applied in production as soon as they are available. For the Virtual Appliance fixes will be applied with the next update, Host build 22.0.843 and Application build 20.0.1923 released in June 2023.

OVE-20230524-0001 - Authentication Bypass

• Security Risk: Low.
• Incidents: There have been no instances of this vulnerability seen or reported.
• Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
• Status: Fixed in Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
• Vulnerability Description: Individual PHP files must consistently implement authentication and authorization checks. However, specific administrative files were missing authentication checks which could allow unauthenticated access to administrative scripts via their direct URLs.
• Investigation and Remediation/Response: Most vulnerable routes had already been corrected since the version these tests were run against or were already implementing security appropriate for the route. However, we continue to investigate any possible vulnerabilities of this nature and are implementing more comprehensive security measures to prevent potential future vulnerabilities.

OVE-20230524-0002 - SQL Injection

• Security Risk: High.
• Incidents: There have been no instances of this vulnerability seen or reported.
• Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
• Status: Fixed in Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
• Vulnerability Description: The application does not use parameterized queries when retrieving data. Instead, it uses a custom DAO framework that utilizes several escaping functions that attempt to prevent SQL injection using various string handling functions. The specifically identified vulnerable function is not used with user-supplied data and cannot be abused. All other identified injection points had already been identified and corrected since the version these tests were performed against.
• Investigation and Remediation/Response: The development process enforces investigation to identify any missing protection on existing pages. All new pages use parameterized queries which protects against future SQL injection points.

OVE-20230524-0003 - Cross Site Scripting

• Security Risk: High.
• Incidents: There have been no instances of this vulnerability seen or reported.
• Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
• Status : Fixed in Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
• Vulnerability Description: There were several instances of cross-site scripting identified in the application. ​These could be used with other vulnerabilities to gain access to protected content. To be successful, the user with privileged rights would have to follow a link from a malicious actor.
• Investigation and Remediation/Response: Individual protection on each page/process has been replaced with a global sanitization script that will remove all instances of cross-site scripting currently and prevent future instances from occurring.

OVE-20230524-0004 - Session Fixation

• Security Risk: Low.
• Incidents: There have been no instances of this vulnerability seen or reported.
• Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
• Status: The PrinterLogic security team has assessed this report and found it not to be valid (see Investigation and Remediation/Response below).
• Vulnerability Description: The /admin/query/verify-login.php script did not issue a new session identifier after login. The concern is that an attacker could prime a known session ID for a user via Cross-Site Scripting (XSS), a phishing or watering hole attack, and then later access the application using the known session ID to bypass authentication.
• Investigation and Remediation/Response: The issue has already been corrected; no changes would cause it to return in future updates.

OVE-20230524-0005 - Password in URL

• Security Risk: Medium.
• Incidents: There have been no instances of this vulnerability seen or reported.
• Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
• Status: Fixed in Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
• Vulnerability Description: It is possible to log in using query parameters. However, this allows passwords to leak to third parties via referrer headers, browser history, server logs, proxy logs, URL shortening services, etc. These passwords are encoded in the URL, but there is a risk that allows decoding to plain text.
• Investigation and Remediation/Response: While the software allows query parameters for logging in, no existing functionality uses query parameters for that purpose. As such, this is only a vulnerability if a user manually enters their username and password as part of the URL in the browser. The routes have been changed to disallow query parameters to prevent possible use.

OVE-20230524-0006 - Plaintext Passwords in Logs

• Security Risk: Low.
• Incidents: There have been no instances of this vulnerability seen or reported.
• Status: Fixed in Virtual Appliance.
• Vulnerability Description: The application was found to log request data from the multi-function devices (MFD), which may include passwords, as plaintext. The potential vulnerability is that these could be used to gain entry to the machine and network.
• Investigation and Remediation/Response: Only an administrator of the Virtual Appliance has access to the logs. As such, anyone able to read the logs would already have access to the entire contents of the Virtual Appliance. The information for administrative access to a printer would be inconsequential to someone with this system access level.
• The log messages have been removed as they are not necessary.

OVE-20230524-0007 - Weak Password Encryption / Encoding

• Security Risk: Medium.
• Incidents: There have been no instances of this vulnerability seen or reported.
• Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
• Status: Fixed in Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
• Vulnerability Description: The application appeared to store passwords using unsalted SHA1 hashing and transmitting authentication data using a custom double base64 encoding.
• Investigation and Remediation/Response: SHA1 has not been actively used in many years, but code remained for backward compatibility to authenticate against legacy passwords initially stored with a SHA1 hash. As such, there is no current vulnerability around SHA1 hashes, but we are removing support for SHA1 entirely, as backward compatibility is no longer needed.
• The double-encoded credentials were never intended to be irreversible, nor were the primary line of defense. Therefore, the uses of these credentials are limited to post parameters where the primary security is in the use of the HTTPS protocol.

OVE-20230524-0008 - Insufficient CSRF Protection

• Security Risk: Low.
• Incidents: There have been no instances of this vulnerability seen or reported.
• Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance
• Status: Fixed in Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
• Vulnerability Description: The application does not enforce CSRF checks for the majority of its forms, even for the requests that have a value present in a header, cookie, or form; testing found that changing or removing the value had no actual impact on the success of the operation.
• Investigation and Remediation/Response: The remediation process for this vulnerability has been successfully completed. However, we will continue to monitor and address any potential CSRF issues. Our ongoing efforts focus on securing the most critical legacy routes and protecting them against CSRF attacks. It is important to note that newly developed routes already incorporate CSRF checks as a standard security measure.

OVE-20230524-0009 - Insufficient Antivirus Protection

• Security Risk: Low.
• Incidents: There have been no instances of this vulnerability seen or reported.
• Impact: Not applicable
• Status: The PrinterLogic security team has assessed this report and found it not to be valid (see Investigation and Remediation/Response below).
• Vulnerability Description: Printer drivers are manually uploaded by admins and assigned to printers. In addition, the PrinterLogic application allows drivers containing known malicious code to be uploaded.
• Investigation and Remediation/Response - Cryptographic signatures are checked at the time of installation, and drivers without that validation will not be able to be used within PrinterLogic. Anti-virus software installed on the end user’s machine is responsible for the desired anti-virus detection level. We do not attempt to bypass any security on the system.

OVE-20230524-0010 - Insufficient Authorization Checks

• Security Risks: Critical.
• Incidents: There have been no instances of this vulnerability seen or reported.
• Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
• Status: Fixed in Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
• Vulnerability Description: While the application supports several user levels, most of the individual PHP scripts do not implement granular access control based on roles and do not check RBAC rights but simply rely on an authentication check.
• Investigation and Remediation/Response: No specific PHP scripts were identified in this vulnerability as having inappropriate authentication checks. However, the remediation is ongoing as we re-examine each script to ensure RBAC checks are applied correctly when appropriate.

OVE-20230524-0011 - Administrative User Email Enumeration

• Security Risk: Low.
• Incidents: There have been no instances of this vulnerability seen or reported.
• Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
• Status: The PrinterLogic security team has assessed this report and found it not to be valid (see Investigation and Remediation/Response below).
• Vulnerability Description: The forgot password function will confirm whether an email address exists and can be used to enumerate users/emails.
• Investigation and Remediation/Response: This vulnerability was already fixed in versions released since the version these tests were run against.

OVE-20230524-0012 - Arbitrary Content Inclusion via Iframe

• Security Risk: Critical.
• Incidents: There have been no instances of this vulnerability seen or reported.
• Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
• Status: Fixed in Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
• Vulnerability Description: An arbitrary iframe URL could redirect the application using a ‘frame busting technique’ and then execute JavaScript or initiate file downloads from an untrusted source. This attack would only be successful if a user is deceived into following a link from a malicious actor and then further tricked into executing the downloaded unsafe content.
• Investigation and Remediation/Response: This ability to redirect has been removed.

OVE-20230524-0013 - Remote Network Scanning (XSPA)/DoS

• Security Risk: High.
• Incidents: There have been no instances of this vulnerability seen or reported.
• Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
• Status: Fixed in Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
• Vulnerability Description: There are several PHP files that will initiate connections to a user-defined third-party server using LDAP protocols. This could be used to reach internal cloud services. No known exploits are possible from these pages, which simply test connectivity. Still, it might be possible to gain some form of information about internal resources or attempt to tie up internal resources which might lead to DoS conditions.
• Investigation and Remediation/Response: For those using the Virtual Appliance, the malicious actor must already be on your internal network for those using a Virtual Appliance. Therefore, using these pages to try and access/scan the internal network would be redundant since they are already directly connected.

OVE-20230524-0014 - Insufficient Signature Validation

• Security Risk: Low.
• Incidents: There have been no instances of this vulnerability seen or reported.
• Impact: Not applicable
• Status: The PrinterLogic security team has assessed this report and found it not to be valid (see Investigation and Remediation/Response below).
• Vulnerability Description: Printer drivers are manually uploaded by admins and assigned to printers. The PrinterLogic application allows drivers to be uploaded that are not cryptographically signed with valid certificates from a trusted authority.
• Investigation and Remediation/Response: Cryptographic signatures are checked at the time of installation, and drivers without that validation will not be able to be used within PrinterLogic.

OVE-20230524-0015 - Device Impersonation

• Security Risk: Low.
• Incidents: There have been no instances of this vulnerability seen or reported.
• Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
• Status: The PrinterLogic security team has assessed this report and found it not to be valid (see Investigation and Remediation/Response below).
• Vulnerability Description: The Authorized Devices page with OAUTH tokens could be spoofed by renaming a host and impacting another authorized device's record in at least one place..
• Investigation and Remediation/Response: A machine name identifies Authorized Devices and is an alias to indicate the device that's now been authorized for you in the system. This name is not functional and can’t be used maliciously. However, if a malicious actor already has access to your system, there are other ways within the software to accurately identify the device using its current name, IP address, etc.

OVE-20230524-0016 - OAUTH Security Bypass

• Security Risk: High.
• Incidents: There have been no instances of this vulnerability seen or reported.
• Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
• Status: Fixed in Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
• Vulnerability Description: This is a vulnerability where an already authenticated user may use their valid OAUTH credential to impersonate another user. This impersonation is limited exclusively to the ability to see another user’s held print jobs. This could allow a print job to be released early or to an alternative printer. This would not allow any digital access to the contents of any job. Additionally, this would not allow access to any information about current or previously printed jobs.

• Investigation and Remediation/Response: This vulnerability is only possible if a malicious actor has already been granted access to the self-service portal and print job release portal using their identity. They would also need physical printer access to retrieve a document, as no digital access is possible.

  A setting in Vasion Print (formerly PrinterLogic SaaS) (also included in the next Virtual Appliance release) titled Enable "Automatic Self-service Portal and Release Portal" login has been added to the Portal Settings. This setting allows you to choose if end users remain logged into the Self-service and Release portals or if you want to require users to log in each time they wish to install a printer or release a job. This setting provides an additional option to increase security by requiring end users to log in, but it allows our existing customers not to be disrupted in how their end users interact with the Self-service and Release Portals today. You can find more information on this setting in the Portal Settings topic.

OVE-20230524-0017 - Cookie Returned in Response Body

• Security Risk: Critical.
• Incidents: There have been no instances of this vulnerability seen or reported.
• Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
• Status: Fixed in Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
• Vulnerability Description: The URL /admin/cookies return the cookie values in the page body. This breaks the HTTPOnly cookie security control used to prevent JavaScript from accessing the cookie values during a session hijacking attack. This would allow a bad actor to impersonate the user and gain access to the console maliciously.
• Investigation and Remediation/Response: On its own, this vulnerability cannot be exploited. It must be used in conjunction with another vulnerability. We are working on measures to remove this URL.

OVE-20230524-0018 - Known Vulnerable Components in Use

• Security Risk: Medium.
• Incidents: There have been no instances of this vulnerability seen or reported.
• Impact: Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
• Status: Fixed in Vasion Print (formerly PrinterLogic SaaS) and the Virtual Appliance.
• Vulnerability Description: Third-party JavaScript libraries can introduce a range of DOM-based vulnerabilities, including some that can be used to hijack user accounts like DOM-XSS.
• Investigation and Remediation/Response: The PrinterLogic application has no known vulnerabilities or exploit methods associated with its libraries. However, to further minimize potential risks, there is a continuous effort to keep all software utilized by PrinterLogic updated to the latest available versions. Older versions are identified and replaced with newer versions as they approach their End-of-Life (EOL) phase. This ongoing development ensures that PrinterLogic consistently incorporates the most up-to-date libraries, fostering a secure and reliable environment.

August

CVE-2022-32427

Recently, a security vulnerability was discovered in the Vasion Windows Client driver installation process. Vasion has completed remediation for CVE-2022-32427 via an updated Windows Client package.

Vulnerability Description

The Vasion Windows Client on or before Version 25.0.0.676 allows attackers to execute directory traversal. Authenticated users with prior knowledge of the driver filename could exploit this to escalate privileges or distribute malicious content.

Investigation and Remediation

Remediate the this vulnerability by updating the Vasion Windows Client to Version 25.0.0.688 or later. Release notes for Client versions are available here.

• For Virtual Appliance, reference Client Updates for steps on updating the Client.
• For Virtual Appliance, update to Application build 20.0.1533+ which includes later Client versions. Reference Application Updates for more information about updating. After the application update, reference Client Updates for steps on updating the Client.
• For Web Stack, the latest Client download is here.
• If you prefer to push the new Windows Client via third-party software, you’ll find the Client installation package (MSI) here.

April

CVE-2022-22965

A security vulnerability that affects VMware products was reported in CVE-2022-22965. The issue does not impact Vasion software.

Vulnerability Description

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The exploit requires the application to run on Tomcat as a WAR deployment.

Investigation and Remediation

While some customers run their Vasion Virtual Appliance on VMware hypervisors, the Virtual Appliance is not at risk. Information about remediations for VMware software is available here.

March

CVE-2021-44142

An out-of-bounds vulnerability assigned to CVE-2021-44142 was recently disclosed in Samba versions prior to 4.13.17. This flaw involves an out-of-bounds heap read-write event in which remote attackers could execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit. The PrinterLogic Virtual Appliance is susceptible to this vulnerability and was remediated. This issue does not affect Vasion Print (formerly PrinterLogic SaaS).

Vulnerability Description

Samba is an implementation of SMB protocol that provides file and printer interoperability for Windows platforms over the network. It is a widely installed software package, and many Linux-based IoT and network devices include publicly open SMB services by default.

The specific flaw exists in EA metadata parsing when opening files in smbd, the Samba server daemon that provides file sharing and printing services to Windows clients. Access as a user with write access to a file’s extended attributes is required to exploit this vulnerability. A guest or unauthenticated user could do this if they are allowed write access to file extended attributes.

The problem in vfs_fruit exists in the default configuration of the fruit VFS module using fruit:metadata=netatalk or fruit:resource=file. If both options are set to settings other than the default values, the security issue does not affect the system. The Vasion Virtual Appliance Host has vfs_fruit enabled and required remediation.

Investigation and Remediation

Vasion has removed the VA_Fruit module from Virtual Appliance. Therefore, we recommend that Virtual Appliance customers with host versions 1.0.735 and earlier update their Virtual Appliance Host, which includes the latest application release. This update includes other new functionality as well described in the release notes. You can find release notes for our Virtual Appliance in our 2022 Release Notes topic.

February

CVE-2021-4034

In late January, Vasion became aware of a vulnerability that affects many Linux distributions. As a result, the company has completed remediations in its Vasion Print (formerly PrinterLogic SaaS) and Virtual Appliance platforms.

Vulnerability Description

Polkit (formerly known as PolicyKit) is a systemd SUID-root program installed by default in every major Linux distribution. The pkexec application is a setuid tool that allows unprivileged users to run commands as privileged users according to predefined policies.

In the version of Polkit that resulted in this vulnerability discovery, the pkexec application doesn’t handle the calling parameters count correctly and ends by trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables to induce pkexec to execute arbitrary code. This can escalate local privilege and give unprivileged users administrative rights on the target machine.

A new version of Polkit was released that addresses this vulnerability. You can find more information in the CVE-2021-4034 document.

Investigation and Remediation

Vasion completed its investigation to determine how this vulnerability affects Vasion Print (formerly PrinterLogic SaaS) and Virtual Appliance. It was found that servers for both platforms contained the affected version of Polkit.

A patch is in place for both Vasion products with the latest version of Polkit recommended by Linux (0.105-20 Ubuntu 0.18.04.05 changed to 0.105-20 Ubuntu 0.18.04.06).

Because Vasion Print (formerly PrinterLogic SaaS) updates occur automatically, this remediation is already live.

Virtual Appliance customers with host versions 1.0.730 and earlier will need to update their Virtual Appliance host, including the latest application release. You can find release notes in our Release Notes topic.

January

Recently, security vulnerabilities were discovered in Web Stack versions 19.1.1.13 SP9 and below. Vasion has completed corrective measures to remediate each vulnerability, and updates are available now for Web Stack and the Virtual Appliance. Updates occurred automatically with Vasion Print (formerly PrinterLogic SaaS) and are live worldwide. A summary of the vulnerabilities and corrective actions Vasion has taken are below. Links to the respective CVEs will be added once they are available.

CVE-2021-42631

• Impact: Vasion Print (formerly PrinterLogic SaaS), Virtual Appliance, and Web Stack.
• Status: Fixed in Vasion Print (formerly PrinterLogic SaaS), Virtual Appliance, and Web Stack.
• Vulnerability Description: CVE-2021-42631, Object Injection leading to RCE CVSS 8.1.
• Investigation and Remediation/Response: The affected endpoints were reorganized so they no longer use objects passed as parameters (removing the vulnerability). The vulnerable function “unserialize()” is no longer used.

CVE-2021-42635

• Impact: Web Stack.
• Status: Fixed in Web Stack.
• Vulnerability Description: CVE-2021-42635, Hardcoded APP_KEY leading to RCE CVSS 8.1.
• Investigation and Remediation/Response: The Web Stack installers were adjusted to generate random keys on installation and on updates. In addition, we performed scans for other keys and credentials that may have been leaked, and any findings were also corrected. Measures were furthermore put in place to prevent any leaked secrets from accidentally being included in future releases.

CVE-2021-42638

• Impact: Web Stack.
• Status: Fixed in Web Stack.
• Vulnerability Description: CVE-2021-42638, misc command injections leading to RCE CVSS 8.1.
• Investigation and Remediation/Response: The affected areas were completely removed where possible (e.g., no longer supported features, printer models, etc.), and escaping/sanitation was corrected for items that could not be removed.

CVE-2021-42633

• Impact: Vasion Print (formerly PrinterLogic SaaS), Virtual Appliance, and Web Stack.
• Status: Fixed in Vasion Print (formerly PrinterLogic SaaS), Virtual Appliance, and Web Stack.
• Vulnerability Description: CVE-2021-42633, SQLi may disclose audit logs CVSS 0.
• Investigation and Remediation/Response: The SQLi code was never used. The offending pages were removed.

CVE-2021-42637

• Impact: Web Stack.
• Status: Fixed in Web Stack.
• Vulnerability Description: CVE-2021-42637, blind SSRF CVSS 4.0.
• Investigation and Remediation/Response: The test page causing this issue was removed.

CVE-2021-42639

• Impact: Vasion Print (formerly PrinterLogic SaaS), Virtual Appliance, and Web Stack.
• Status: Fixed in Vasion Print (formerly PrinterLogic SaaS), Virtual Appliance, and Web Stack.
• Vulnerability Description: CVE-2021-42639, misc reflected XSS CVSS 4.0.
• Investigation and Remediation/Response: All RCSS vulnerabilities were identified and removed or inputs were escaped or sanitized.

CVE-2021-42640

• Impact: Vasion Print (formerly PrinterLogic SaaS), Virtual Appliance, and Web Stack.
• Status: Fixed in Vasion Print (formerly PrinterLogic SaaS), Virtual Appliance, and Web Stack.
• Vulnerability Description: CVE-2021-42640, driver assignment IDOR CVSS 3.8.
• Investigation and Remediation/Response: RBAC security was added to routes that were allowing access to sensitive objects/data.

CVE-2021-42641

• Impact: Vasion Print (formerly PrinterLogic SaaS), Virtual Appliance, and Web Stack.
• Status: Fixed in Vasion Print (formerly PrinterLogic SaaS), Virtual Appliance, and Web Stack.
• Vulnerability Description: CVE-2021-42641, username/email info disclosure CVSS 2.0.
• Investigation and Remediation/Response: RBAC security was added to routes that were allowing access to sensitive objects/data.

CVE-2021-42642

• Impact: Vasion Print (formerly PrinterLogic SaaS), Virtual Appliance, and Web Stack.
• Status: Fixed in Vasion Print (formerly PrinterLogic SaaS), Virtual Appliance, and Web Stack.
• Vulnerability Description: CVE-2021-42642, printer console username/password info disclosure CVSS 4.0.
• Investigation and Remediation/Response: RBAC security was added to routes that were allowing access to sensitive objects/data.

Remediation

• Virtual Appliance: Our SaaS platform performs automatic updates. Remediations are live worldwide. No customer action is needed.
• Virtual Appliance: Upgrade to Host build 1.0.711+ which includes an updated Application version.
• Web Stack: Upgrade to 19.1.1.13 SP10-2.

The Web Stack solution has reached EOL, customers using Web Stack should reach out to their Vasion representative to discuss migration to Virtual Appliance or the Virtual Appliance solutions.

December

CVE-2021-44228

The Log4j vulnerability, documented in CVE-2021-44228, is a remote code execution vulnerability in Log4j. This framework is used for logging within many software solutions. The Log4j library is vulnerable to Remote Command Execution (RCE), which means a remote attacker can execute commands over the network on software that contains the vulnerable Log4j versions.

Investigation and Remediation

Vasion is aware of the issue and has not found any evidence of exploitation or vulnerability with our products. Additionally, Vasion products, including Vasion Print (formerly PrinterLogic SaaS), Virtual Appliance, and Vasion ST, do not depend on the affected Log4j libraries. Therefore, these products are not vulnerable to the referenced CVE-2021-44228.

Our security team will continue to monitor the situation. If our assessment changes, we will publish our findings and recommendations in this bulletin.

July

CVE-2021-34527

PrintNightmare, documented in CVE-2021-34527, is a remote code execution vulnerability in the Windows Print Spooler. This vulnerability is exposed through specific inbound Remote Procedure Calls (RPC), which are used to add printers and related drivers. This can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.

Vasion Solution

With Vasion Print's (formerly PrinterLogic SaaS) Managed Direct IP Printing solution, print jobs are always spooled locally using the local print spooler on the originating workstation. Since Virtual Appliance does not use RPC to access the Windows Print Spooler, a Virtual Appliance Managed Direct IP print environment is entirely unaffected when the mitigation steps detailed in the CVE (option 2) are followed as Microsoft recommends. This ensures the attack vector is closed on all machines running the Windows Print Spooler while allowing users to continue safely printing using Virtual Appliance’s Managed Direct IP solution.

Microsoft has released a patch for this vulnerability. Vasion highly recommends all customers install the July 2021 Out-of-band update on all Windows systems. For details, see KB5004945 and KB5004946.

What about Point and Print?

According to Microsoft documentation, Point and Print is a term that refers to the capability of allowing a user on a Windows 2000 and later client to create a connection to a remote printer without providing disks or other installation media. Instead, all necessary files and configuration information are automatically downloaded from the print server to the client.

This applies explicitly to print queues installed from a Windows print server and does not impact users' ability to install print queues from the Virtual Appliance Self-service Portal.

As part of the July 2021 Out-of-band update, a registry setting is checked to restrict the installation of new unsigned printer drivers to Administrators only. Since Virtual Appliance only allows signed Type 3 drivers to be used and the Virtual Appliance Client is solely responsible for managed print driver installation, this setting will not adversely affect Vasion customers.

While this registry setting does not impact a Virtual Appliance Managed Direct IP environment, following security best practices, Vasion still recommends that all customers enable this registry setting as recommended by Microsoft:

• Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
• Value: RestrictDriverInstallationToAdministrators
• Type: REG_DWORD
• Data: 1

Caveats

Printers configured as shared printers or with Windows Print Server Links will cease to function properly if inbound remote printing is disabled on the Windows Print server. Therefore, Vasion recommends converting these printers to Managed Direct IP print queues to avoid this and future Windows Print Spooler vulnerabilities.

References

• Security Update Guide – Microsoft Security Response Center – CVE-2021-34527
• VU#383432 – Microsoft Windows Print Spooler allows for RCE via AddPrinterDriverEx()
• KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates
• July 6, 2021—KB5004945 (OS Builds 19041.1083, 19042.1083, and 19043.1083) Out-of-band
• July 6, 2021—KB5004946 (OS Build 18363.1646) Out-of-band
• Introduction to Point and Print – Windows drivers