Vasion Print Cleartext Password Storage Vulnerability

A vulnerability exists in Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application in both VA and SaaS deployments, where network account credentials are stored in cleartext in the /etc/issue file, which is world-readable by default. This allows an attacker with local shell access to read the file and obtain the username and password. With these credentials, the attacker can access the appliance interface to change network parameters, potentially leading to local misconfigurations, network disruptions, or further escalation, depending on the deployment.

Impact

Exploitation of this vulnerability allows for unauthorized access to network account credentials, which can be used to manipulate network settings via the appliance interface. This could result in local misconfigurations, network disruptions, or unauthorized privilege escalation, based on the specific deployment and the accessed credentials.

Remediation

Users can update to Vasion Print, Virtual Appliance Host v22.0.1049 / Application v20.0.2786, or later versions. For Vasion Print (formerly PrinterLogic), the Windows Client can be updated to Version 25.0.0.897 or later. If preferred, this update can be pushed via third-party software using the Client installation package available from the Vasion Trust Center.