Vasion Print Virtual Appliance Host and Application Hardcoded CA Private Key and Password Vulnerability

A vulnerability exists in Vasion Print Virtual Appliance Host versions prior to 25.1.102 and Application versions prior to 25.1.1413, specifically in Windows client deployments. This vulnerability is due to a hardcoded private key for the PrinterLogic Certificate Authority (CA) and a hardcoded password in product configuration files. The Windows client includes the CA certificate, its private key, and other sensitive settings such as the password, directly in configuration files like clientsettings.dat and defaults.ini. An attacker who accesses these files can impersonate the CA, sign arbitrary certificates trusted by the Windows client, intercept or decrypt TLS-protected communications, and conduct man-in-the-middle or impersonation attacks against the product's network communications.

Impact

Exploitation of this vulnerability allows for impersonation of the PrinterLogic CA, enabling the attacker to sign certificates that are trusted by the Windows client. This could lead to interception or decryption of TLS-protected communications, and facilitate man-in-the-middle or impersonation attacks against the product's network communications.

Remediation

Users can update to Vasion Print Virtual Appliance Host version 25.1.102 and Application version 25.1.1413 or later to address this vulnerability.