Vasion Print Insecure SSL Verification Allows Man-in-the-Middle Attacks

A vulnerability exists in Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.1049 and Application versions prior to 20.0.2786. This vulnerability allows for insecure SSL communications to printers and internal microservices, disabling crucial certificate verifications. The application improperly configures libcurl/PHP transport options, effectively nullifying SSL verification for host and peer certificates. Additionally, certain environment variables are employed to disable verification for gateway and microservice endpoints. Consequently, this oversight permits on-path attackers to intercept and manipulate sensitive data, including print jobs and authentication tokens, or disrupt services.

Impact

Exploitation of this vulnerability could lead to man-in-the-middle attacks, allowing interception and modification of data between the application and printers or microservices. This could include eavesdropping on and altering print jobs, configurations, and authentication tokens, as well as injecting malicious payloads or causing service disruptions.

Remediation

Users can update to Vasion Print Virtual Appliance Host v22.0.1049 and Application v20.0.2786, both of which include the necessary fixes. For those using the Vasion Windows Client, an update to Version 25.0.0.897 or later is required.