Lexmark has released an update for its Markvision Enterprise printer management software to address serious vulnerabilities that could allow a remote attacker to execute arbitrary code on the server hosting the product.
Markvision Enterprise is a web-based tool that allows IT professionals to manage up to 20,000 networked printers, regardless of the manufacturer.
Researchers at Digital Defense discovered that the product is affected by a critical vulnerability that can be exploited by an unauthenticated attacker to retrieve arbitrary files from the system or cause a denial-of-service (DoS) condition. Experts said the software is also impacted by an issue that allows an authenticated hacker to upload arbitrary files and execute code with elevated privileges.
Lexmark has described Digital Defense’s findings as a remote code execution vulnerability, which the company tracks as CVE-2016-6918. According to the printer giant, several weaknesses can be combined to conduct an attack that results in the system getting compromised.
When installed, Markvision Enterprise stores an encrypted copy of the user-set administrator credentials in a text file. One of the problems is that the product uses an older version of Apache Flex BlazeDS that has a serious vulnerability. The flaw in question, tracked as CVE-2015-3269, can be exploited to read arbitrary files via specially crafted Action Message Format (AMF) messages.
An attacker can exploit this BlazeDS vulnerability to retrieve the file storing the admin credentials. The credentials can be easily decrypted and then used to log in to the Markvision Enterprise application.
Once authenticated, the hacker can exploit an arbitrary file upload vulnerability to place a web shell in the application’s root directory, giving them access to the host operating system with SYSTEM privileges. According to Lexmark, this vulnerability is similar to CVE-2014-8741, which the company patched in December 2014.
The vulnerabilities found by Digital Defense were resolved in late September with the release of Markvision Enterprise 2.4.1. Lexmark says it’s not aware of any attacks in the wild.
As a workaround, users can change the Markvision Enterprise admin password after installation. The encrypted password stored in the text file is not updated after installation, preventing attackers from obtaining the credentials.
Related: Hackers Can Hijack Dell Email Security Appliances
Related: Critical Flaws Found in Dell SonicWALL Product
Related: EMC Patches Critical Flaws in VMAX Storage Products
