Vasion Print Local Privilege Escalation Vulnerability via Insecure Temporary File Handling

A local privilege escalation vulnerability has been identified in Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application, as well as in Windows client deployments. This vulnerability arises from insecure temporary file handling in the PrinterInstallerClient components. The software creates files under the NT AUTHORITY\SYSTEM account in a directory controlled by the local user (C:\Users\%USER%\AppData\Local\Temp\). An attacker who can manipulate filenames in this directory can create symbolic links that the service follows, allowing the attacker to write to arbitrary filesystem locations as SYSTEM. This exploitation enables an unprivileged user to overwrite or create files with SYSTEM privileges, potentially leading to unauthorized modifications of configuration files, injection or replacement of binaries, or other actions that could compromise the system's confidentiality, integrity, or availability.

Impact

Exploitation of this vulnerability allows for local privilege escalation, with the potential to modify system configuration files, replace or inject binaries, or otherwise disrupt the system's normal operations.

Reproduction

The vulnerability can be reproduced by placing a symbolic link in the temporary file directory that points to a sensitive file or location. When the PrinterInstallerClient component accesses the temporary directory, it will follow the symbolic link and perform file operations as the SYSTEM user, effectively allowing the manipulation of files with elevated privileges.

Remediation

Users can update to the latest version of Vasion Print or the Vasion Windows Client to address this vulnerability. Instructions for updating the Windows Client are available on the Vasion website.