Three High-Severity PrinterLogic Flaws Detected
Three high-severity PrinterLogic flaws that have recently been detected could help hackers launch remote code execution attacks on printers.
Threatpost editor Lindsey O’Donnell reports, “A slew of high-severity flaws have been disclosed in the PrinterLogic printer management service, which could enable a remote attacker to execute code on workstations running the PrinterLogic agent.”
The PrinterLogic Print Management software, which allows businesses to deploy and use remote printers, is used by thousands of enterprises.
A Security Vulnerability Notice issued by PrinterLogic states, “Using an exploit to forcibly update configuration data, the Printer Installer Client can be directed to bypass HTTPS hardening or directed to another Printer Installer Server. The Printer Installer Client does not correctly verify the origin and integrity of updates. An attacker who successfully exploits these vulnerabilities could run arbitrary code in the context of the Local System Account.”
A Vulnerability Note published by CERT Coordination Center (which is part of the CERT Division of the Pittsburgh-based Software Engineering Institute) says. “PrinterLogic versions up to and including 22.214.171.124 are vulnerable to multiple attacks. The PrinterLogic agent, running as SYSTEM, does not validate the PrinterLogic Management Portal’s SSL certificate, validate PrinterLogic update packages, or sanitize web browser input.”
Of the three flaws, the most serious is CVE-2018-5408, which stems from the PrinterLogic Print Management software failing to validate or causing incorrect validation of the management portal’s SSL certificate. The CERT/CC vulnerability note explains, “When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.”
The second vulnerability, CVE-2018-5409, relates to the execution of software updates in the PrinterLogic Print Management system. It leads to software being updated and codes being executed without sufficient verification of the origin and integrity of the code. As a result, an attacker would be able to execute malicious code by compromising the host server, by performing DNS spoofing, or by modifying the code in transit.
The third flaw, CVE-2019-9505, results in PrinterLogic Print Management software not sanitizing special characters and thus allowing hackers to do remote unauthorized changes to configuration files.
Patches are not yet available and hence users have been asked to wait for upcoming PrinterLogic updates. Using ‘always on’ VPN could be helpful to an extent. The CERT/CC advisory says, “Update PrinterLogic Print Management Software when patches become available…Consider using ‘always on’ VPN to prevent some of the MITM scenarios and enforce application whitelisting on the endpoint to prevent the PrinterLogic agent from executing malicious code.”
These flaws were reportedly discovered by researchers at Sygnia Consulting.