PrinterLogic has patched nine vulnerabilities in Web Stack and Virtual Appliance, the most severe ones, tracked as CVE-2021-42631, CVE-2021-42635, and CVE-2021-42638, are rated as high severity flaws (CVSS base score of 8.1).
Below is the list of vulnerabilities fixed by Paranoids:
- CVE-2021-42631: Object Injection leading to RCE
- CVE-2021-42635: Hardcoded APP_KEY leading to RCE
- CVE-2021-42638: Misc command injections leading to RCE
- CVE-2021-42633: SQLi may disclose audit logs
- CVE-2021-42637: Blind SSRF
- CVE-2021-42639: Misc reflected XSS
- CVE-2021-42640: Driver assignment IDOR
- CVE-2021-42641: Username/email info disclosure
- CVE-2021-42642: Printer console username/password info disclosure
An attacker can trigger these three vulnerabilities to remotely execute arbitrary code on vulnerable systems.
CVE-2021-42631 is an object injection flaw, CVE-2021-42635 is a hardcoded APP_KEY issue, while CVE-2021-42638 is miscellaneous command injections. PrinterLogic pointed out that most of the installs are not internet-facing.
To exploit the PrinterLogic Web Stack server, attackers would need a privileged network position, such as access through a VPN or another vulnerability in an appliance on the edge.
Researchers didn’t disclosed the component affected by the vulnerability in order to give customers some time to address the flaws. All are not directly accessible from open web
The flaws impact all PrinterLogic Web Stack version 126.96.36.199 SP9 and earlier, and Virtual Appliance version 20.0.1304 and earlier, when used with macOS or Linux endpoint client software.
PrinterLogic addressed the issue with the release of Web Stack version 188.8.131.52-SP10, no client software updates are required for Virtual Appliance.