Vasion Print Windows Client Components Lack Modern Memory Protections and Use Outdated Runtimes

A vulnerability exists in Vasion Print (formerly PrinterLogic) Windows client components included in the Virtual Appliance Host and Application. These components, which are built as 32-bit applications, lack essential modern compile-time and runtime exploit mitigations. They do not support Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), Control Flow Guard (CFG), or stack protection. Additionally, the binaries rely on outdated and unmaintained runtimes, including legacy technologies such as Pascal/Delphi and Python 2. Several processes within these components operate with elevated privileges, specifically NT AUTHORITY\SYSTEM, and automatically download and install printer drivers. The combination of missing contemporary memory safety protections, reliance on obsolete runtimes, and the potential for memory corruption from crafted driver content or malicious inputs significantly heightens the risk of remote or local code execution, with possible privilege escalation to SYSTEM.

Impact

Exploitation of this vulnerability could lead to remote or local code execution, with unauthorized privilege escalation to the SYSTEM level.

Remediation

Users can update the Vasion Windows Client to Version 25.0.0.897 or later. For the Virtual Appliance, update to Application build 20.0.1923 or later, which includes the updated Client version. If preferred, the new Windows Client can be pushed via third-party software using the Client installation package available from the Vasion Print Client Updates page.