Vasion Print Authentication Bypass Vulnerability in Virtual Appliance and macOS/Linux Clients

An authentication bypass vulnerability has been identified in the Vasion Print Virtual Appliance Host and Application, as well as in macOS and Linux client deployments. The issue arises in the PrinterInstallerClientService, where authentication checks for administrative operations are flawed. The service, which requires root privileges for certain tasks, relies on the geteuid() function. By preloading a malicious shared object that overrides geteuid(), a local attacker can deceive the service into thinking it has root privileges. This exploitation allows the execution of administrative commands, such as enabling debug mode or managing configurations, without proper authorization. Although some actions that require writing to protected files may still encounter issues, this vulnerability effectively undermines the security model of the inter-process communication system, enabling local attackers to escalate privileges and compromise system integrity.

Impact

Exploitation of this vulnerability allows local attackers to bypass authentication checks and execute administrative commands with elevated privileges, potentially leading to unauthorized access and modification of system configurations and applications.

Reproduction

The vulnerability can be reproduced by preloading a shared object that overrides the geteuid() function, tricking the PrinterInstallerClientService into believing it is running with root privileges. This can be done using the LD_PRELOAD environment variable to load the malicious shared object before starting the Vasion Print application or client.

Remediation

Users should update to the latest version of Vasion Print, as this vulnerability has been addressed. For the Virtual Appliance, instructions for updating the application are available in the Vasion Trust Center.