Security Vulnerability Notice
Original Release: May 3, 2019 | Last Revised: May 9, 2019
Using an exploit to forcibly update configuration data, the Printer Installer Client can be directed to bypass HTTPS hardening or directed to another Printer Installer Server. The Printer Installer Client does not correctly verify the origin and integrity of updates. An attacker who successfully exploits these vulnerabilities could run arbitrary code in the context of the Local System Account.
This solution prevents Man-in-the-Middle (MITM) attacks where bad actors may attempt to spoof a trusted entity by tricking the Printer Installer Server into connecting to a malicious host. To reduce any attempt at MITM attacks, you must configure your Printer Installer Server to use the HTTPS protocol as described below:
- Follow the steps outlined here: HTTP and HTTPS Configuration Steps.
- Next, make sure your homeURL is updated to HTTPS. For more information, see Update the Client’s HomeURL.
- In addition, you need to apply the client update described below to secure your Printer Installer environment.
This solution addresses vulnerabilities related to properly verifying the origin and integrity of the Printer Installer Client code, as well as sanitizing special characters that could lead to unauthorized changes to configuration files. To address these issues, apply the latest Printer Installer software update as described below:
- Download the update from: Printer Installer Security Update.
- On the Printer Installer Server, navigate to C:\inetpub\wwwroot\public\client\setup.
- Make a backup copy of your existing Printer Installer Client files before replacing them.
- Copy and replace the Printer Installer Client installation files with the new files provided in the download.
- Navigate to your Printer Installer Admin Console and enable the automatic update option to update your clients. If you want to push out the clients via GPO or using a software deployment tool, follow these instructions.
- To validate the update, verify that each workstation is properly updated to the new client version by navigating to Tools → Reports → Workstations from the Printer Installer Admin Console. Click Search to run a report showing each workstation in your environment. As workstations are updated, verify the proper version number by reviewing the Client Version column in the report. It should reflect the following updated client versions for each respective platform:
- Windows: 126.96.36.199
- Mac: 188.8.131.524
- Linux: 184.108.40.2064
If you have questions about these solutions, contact PrinterLogic Product Support for assistance.
CVE-2018-5408, CVE-2018-5409, CVE-2019-9505