Multiple Vulnerabilities reported in PrinterLogic Enterprise Software
Take action: If you are using PrinterLogic Virtual Appliance isolate it's web access from the internet as a mitigating control, and follow the vendor information for a patched version. If using the SaaS platform, reach out to the vendor for patches - it's their liability at the moment.
Learn More
Security reseachers have discovered multiple vulnerabilities in PrinterLogic's enterprise management printer solution during an analysis of PrinterLogic's SaaS platform and the source code of the Virtual Appliance available on their website (Build 1.0.757), including several critical vulnerabilities.
The vulnerabilities that could potentially expose organizations to various types of attacks, including
- authentication bypass
- SQL injection
- cross-site scripting (XSS).
These vulnerabilities could allow malicious actors to bypass authentication, inject malicious code, and gain unauthorized access to sensitive credentials, among other risks.
One significant vulnerability discovered by the researchers is the platform's susceptibility to an authentication bypass attack. This vulnerability enables unauthenticated third parties to access administrative scripts and modify the service's configuration. The root cause of this bug lies in the absence of a centralized framework for authentication and authorization handling within the application. Instead, individual PHP files are responsible for implementing the necessary checks. However, due to some files lacking these checks, unauthenticated access becomes possible by directly accessing their URLs.
Another critical issue identified by the researchers is the platform's flawed mechanism for preventing SQL injection. In some cases, input validation is absent, which opens the door to potential SQL injection attacks.
The researchers also found multiple instances of cross-site scripting (XSS) vulnerabilities in the application. Exploiting these vulnerabilities could allow attackers to hijack administrator accounts by leaking user session cookies. Additionally, due to the application's failure to issue a new session identifier after login, an attacker possessing a session ID could use it to bypass authentication.
It was further discovered that when logging in as an admin, the URL contains the encoded password, which could be leaked through various means such as "referrer headers, browser history, server logs, proxy logs, URL shortening services," and more.
The application also exhibits insecure practices, such as logging requests that may contain passwords in plaintext and storing passwords using unsalted SHA1 hashing. While the application attempts to obfuscate usernames and passwords during transmission using double base64 encoding, these credentials can still be easily recovered by attackers.
The researchers also noted that most forms in the application lack enforcement of cross-site request forgery (CSRF) checks. Additionally, the application allows administrators to manually upload printer drivers with known vulnerabilities or those that have not been cryptographically signed with valid certificates, and it lacks proper authorization checks.
Other issues identified include the enumeration of user emails through the forgot password function, the inclusion of arbitrary URLs in iframes leading to untrusted file downloads, the ability to rename a host to impersonate another machine, OAuth authentication bypass, cookie values included in the page body, and the utilization of known vulnerable JavaScript libraries.
The researchers reported these vulnerabilities to PrinterLogic in February through a responsible disclosure process. However, as of now, the vendor has not provided a specific timeline for releasing patches. The company acknowledged that some issues affect legacy code and indicated that at least one flaw will not be patched.
More details are available on the site https://docs.printerlogicva.com/1-Printerlogic/Release_Notes/Security_Bulletin_CVE.htm
