10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
65.4%
PrinterLogic Print Management Software fails to validate SSL and software update certificates, which could allow an attacker to reconfigure the software and remotely execute code. In addition, the PrinterLogic agent does not sanitize browser input allowing a remote attacker to modify configuration settings. These vulnerabilities may result in a remote attacker executing code on workstations running the PrinterLogic agent.
PrinterLogic versions up to and including 18.3.1.96 are vulnerable to multiple attacks. The PrinterLogic agent, running as SYSTEM, does not validate the PrinterLogic Management Portal’s SSL certificate, validate PrinterLogic update packages, or sanitize web browser input.
CVE-2018-5408: The PrinterLogic Print Management software does not validate, or incorrectly validates, the PrinterLogic management portal’s SSL certificate. When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host. (CWE-295)
CVE-2018-5409: PrinterLogic Print Management software updates and executes the code without sufficiently verifying the origin and integrity of the code. An attacker can execute malicious code by compromising the host server, performing DNS spoofing, or modifying the code in transit. (CWE-494)
CVE-2019-9505: PrinterLogic Print Management software does not sanitize special characters allowing for remote unauthorized changes to configuration files. (CWE-159)
An unauthenticated attacker may be able to remotely execute arbitrary code with SYSTEM privileges.
Update PrinterLogic Print Management Software <https://www.printerlogic.com/security-bulletin/>.
169249
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: August 24, 2018 Updated: May 22, 2019
Statement Date: August 24, 2018
Affected
Security vulnerabilities referenced in VU#169249 have been resolved
For more information, please visit: <https://www.printerlogic.com/security-bulletin/>
Group | Score | Vector |
---|---|---|
Base | 7.8 | AV:N/AC:M/Au:N/C:P/I:C/A:N |
Temporal | 7.8 | E:ND/RL:ND/RC:ND |
Environmental | 7.8 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
Thanks to the Adversarial Simulation Team at Sygnia (Sygnia Consulting), led by David Warshavski and Doron Vazgiel, for reporting these vulnerabilities and participating in the coordinated vulnerability disclosure process.
This document was written by Laurie Tyzenhaus.
CVE IDs: | CVE-2018-5408, CVE-2018-5409, CVE-2019-9505 |
---|---|
Date Public: | 2019-05-03 Date First Published: |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5408
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5409
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9505
cwe.mitre.org/data/definitions/159.html
cwe.mitre.org/data/definitions/295.html
cwe.mitre.org/data/definitions/494.html
www.printerlogic.com/security-bulletin/
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
65.4%