Vasion Print Insecure Inter-Process Communication Vulnerability Allowing Local Session Hijacking

A vulnerability exists in Vasion Print Virtual Appliance Host versions prior to 1.0.735 and Application versions prior to 20.0.1330, specifically in macOS and Linux client deployments. The issue arises from the local inter-process communication (IPC) mechanism, where IPC request and response files are stored in a temporary directory with world-readable and world-writable permissions. This allows any local user to create malicious request files that privileged daemons process, potentially executing unauthorized actions in other user sessions. This vulnerability disrupts user session isolation, enabling local attackers to hijack sessions and perform unintended actions on behalf of other users, thereby compromising system integrity and availability.

Impact

Exploitation of this vulnerability could lead to unauthorized actions being executed in the context of other users, allowing for session hijacking and disruption of user session isolation.

Remediation

Users can update to Vasion Print Virtual Appliance Host 1.0.735 and Application version 20.0.1330 or later. For Vasion Print (formerly PrinterLogic), the update is already live worldwide. Virtual Appliance users should refer to the Vasion Release Notes for update instructions.