Vasion Print Virtual Appliance Host and Application Arbitrary File Write Vulnerability as Root

An arbitrary file write vulnerability has been identified in Vasion Print Virtual Appliance Host versions prior to 22.0.843 and Application versions prior to 20.0.1923, specifically in macOS and Linux client deployments. The vulnerability arises from the response file handling, where the service writes response data into files under the '/opt/PrinterInstallerClient/tmp/responses/' directory, reusing the requested filename. The service follows symbolic links in the responses directory and writes as the service user, typically root. This allows a local, unprivileged user to manipulate the service into overwriting or creating arbitrary files on the filesystem as root. Exploitation of this vulnerability could lead to modification of configuration files, replacement or injection of binaries or drivers, and ultimately, local privilege escalation and full system compromise.

Impact

Exploitation of this vulnerability allows for arbitrary file writes as the root user, enabling local privilege escalation and full system compromise.

Remediation

Users can update to Vasion Print Virtual Appliance Host version 22.0.843 and Application version 20.0.1923 or later. For the Vasion Windows Client, update to version 25.0.0.897 or later. If preferred, the new Windows Client can be pushed via third-party software using the available Client installation package (MSI).