Two Security Vulnerabilities Found in Lexmark MarkVision Enterprise Fleet-Management Application

Cybersecurity

Digital Defense, Inc. (DDI), a provider of security management as a Service (VMaaS) issued a press release today stating that it’s discovered two security vulnerabilities in the Lexmark Markvision Enterprise application used for managing Lexmark and third-party fleets of printers and copier/MFPs. The firm says the vulnerabilities can be used to obtain encrypted administrative credentials, and decrypt “with an obtainable static key,” allowing remote administrative access to the MarkVision Enterprise interface.

If exploited, the firm says a cyber-criminal would have SYSTEM privileges to run remote code, retrieve arbitrary files, and perform denial of service, “potentially disrupting an organization’s operations.”

Collaborating with DDI, Lexmark has provided the following information to assist clients with remediation. To obtain Markvision Enterprise v2.4.1, visit Lexmark here.

About the Vulnerabilities

According to a DDI blog post, details concerning the vulnerabilities, which affect MarkVision Enterprise 2.3.0. are as follows:

“DDI-VRT-2016- 73: Unauthenticated XML External Entity Injection via Crafted AMF Message (Critical)
DDI-VRT-2016- 74: Authenticated Arbitrary File Upload Remote Code Execution via Crafted AMF Message (requires authentication)
Details:
Vulnerability: Unauthenticated XML External Entity Injection via Crafted AMF Message (CVE-2015-3269, Apache Flex BlazeDS library, blazeds-core-4.6.0.23207.jar)
Impact: Arbitrary file retrieval with SYSTEM privileges, denial of service and full compromise of the Markvision application and host operating system.
Details: No authentication is required to exploit this vulnerability. The Markvision Enterprise web application uses the blazeds-core-4.6.0.23207.jar to provide server side support for the Flash based web application. The version of this library used by the Markvision Enterprise application does not prevent the use of XML external entities which allows an attacker to retrieve arbitrary text files from the system hosting the application with SYSTEM privileges. This vulnerability can be exploited by sending an HTTP POST with the crafted AMF message to retrieve the encrypted, and Base64 encoded, admin credentials stored in a text file. The credentials can be easily decrypted as they are encrypted using a static key “rivet” and algorithm from the Jasypt Java library.

Vulnerability: Authenticated Arbitrary File Upload via Crafted AMF Message
Impact: Remote code execution with SYSTEM privileges.
Details: Authentication is required to exploit this vulnerability. Authenticated users are able to import assets into the Markvision Enterprise application by uploading a CSV file containing the asset information, such as IP address and hostname. When the file is uploaded, the application appends the current time in milliseconds and the “.csv” extension to the filename (original filename of the uploaded file) before storing it. By appending a single null byte to the original filename, the file will be stored with its original filename without appending the time in milliseconds or the “.csv” extension. Additionally, by prepending the filename with one or more “../” (dot dot slashes) and then an arbitrary path, the attacker can write the uploaded file to anywhere on the filesystem with SYSTEM privileges.

By appending the null byte to the filename and using the directory traversal sequence, an attacker can write a web shell into the Markvision Enterprise web application’s root directory, giving the attacker shell access to the hosting OS with SYSTEM privileges. None of the uploadFile methods attempt to sanitize the attacker controlled filename or file content, other than attempting to control part of the filename and the file extension which is easily bypassed.”

More Resources