Vasion Print Virtual Appliance Hardcoded SSH Host Private Keys Vulnerability

A vulnerability exists in Vasion Print Virtual Appliance Host versions prior to 22.0.951 and Application versions prior to 20.0.2368. This vulnerability involves shared, hardcoded SSH host private keys that are included in the appliance image. The same private keys (RSA, ECDSA, and ED25519) are used across different installations, rather than being uniquely generated for each appliance. An attacker who acquires these private keys from a compromised appliance image or another installation can impersonate the appliance, decrypt or intercept SSH connections to other appliances using the same keys, and conduct man-in-the-middle or impersonation attacks on administrative SSH sessions.

Impact

Exploitation of this vulnerability allows for unauthorized SSH key access, enabling interception or decryption of SSH connections and impersonation of the appliance in administrative sessions.

Remediation

Users can update to Vasion Print Virtual Appliance Host version 22.0.951 and Application version 20.0.2368, both of which include the necessary fixes. Instructions for updating the Virtual Appliance can be found in the Vasion Print Client Updates documentation.