Lexmark Cloud Release Notes

12.22.2024

[Feature][Security] Cloud Print Management Update (293656)

ACTION REQUIRED – Lexmark Print Management Client (LPMC) 3.5.0 is now available.  

LPMC 3.5.0 addresses a security vulnerability present in the LPMC versions 3.0 through 3.4. Lexmark recommends that all customers using the affected LPMC versions update as soon as possible. For additional details on the security vulnerability, please see below.

This release contains additional changes: 

The folder structure for the LPMC data folders has changed for some operating systems. 

On Windows, the folder for the configuration file is unchanged. It remains c:\programdata\lpmc.  

On Mac, the folder for the configuration file has changed to /var/Lexmark/PrintManagementClient. 

On Ubuntu, the folder for the configuration file is unchanged. It remains /etc/Lexmark/PrintManagementClient

The user’s print jobs are now stored within a jobs folder under the main LPMC data folder. For example, the LPMC for Windows uses the c:\programdata\lpmc\jobs folder. Each user on the system will have a subfolder for their own data under the jobs folder.  

All log files have moved to the logs folder under the base data folder. For example, the LPMC for Windows puts all logs in the c:\programdata\lpmc\logs folder. 

ACTION REQUIRED: Please ensure that any rules for antivirus software and other security software you may use are updated to reflect the new folder structure. 

The LPMC 3.5.0 uses a new configuration.json file format, replacing the previous configuration.xml and DirectPrintConfiguration.xml files.  

The LPMC will automatically convert your existing xml files to the new configuration.json format at install time. This applies to initial installations as well as upgrades from previous versions of LPMC 3.x. 

The LPMC Configuration Guide describes the new format. This configuration guide is also present in the installation folder (C:\Program Files\Lexmark\Print Management Client on Windows).  

In addition to addressing the security issue previously mentioned, LPMC release 3.5.0 includes additional security improvements, such as updated controls around folder permissions for the LPMC. 

When downloading custom packages for the LPMC, PCL/XL and PS3 Emulation drivers are available. A custom LPMC installer package containing a PCL 5 driver is no longer available from the LCS web portal. If you need an LPMC installer that includes a PCL 5 driver, please contact Lexmark Technical Support to obtain that installer package. 

 

Technical Information for CVE-2024-11348

Summary

Lexmark has identified a vulnerability in our Lexmark Print Management Client (LPMC). 

References

CVE: CVE-2024-11348

CWE: CWE-843 

Details

A Reliance on Untrusted Inputs in a Security Decision vulnerability has been identified in the Lexmark Print Management Client.

CVSSv3 Base Score: 9.3 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Impact Subscore: 6.0

Eploitability Subscore: 2.5

 

Affected Products

The vulnerability exists in LPMC 3.0.0 through 3.4.0. If the LPMC version falls into this range, upgrade to version 3.5.0 or later.

Obtaining Updated Software

Customers can download the latest LPMC release through the Lexmark Cloud web portal. 

Workarounds

Lexmark recommends updating the LPMC version if affected.

 

Exploitation and Public Announcements

Lexmark is not aware of any malicious use of the vulnerability described in this disclosure.

 

Status of this Notice:

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND IS PROVIDED WITHOUT ANY EXPRESS OR IMPLIED GUARANTEE OR WARRANTY WHATSOEVER, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR USE OR PURPOSE. LEXMARK RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME

Distribution

The final advisory will be posted on Lexmark’s web site at http://support.lexmark.com/alerts

Future updates to this document will be posted on Lexmark’s web site at the same location.

Revision History

Revision   Date                       Reason

0.1          22 December 2024   Initial draft

 

The vulnerability exists in Windows, Mac, and Linux clients. The vulnerability is present in all LPMC releases from LPMC 3.0.0 – LPMC 3.4.0.

An attacker could exploit this vulnerability to achieve the following:

Launch arbitrary process under the SYSTEM or root context, depending op operating systems.

Delete folders on the workstation, including folders that require typically Administrator or other evelvated permissions to access.

Lexmark has released LPMC 3.5.0 to address this issue. 

Action Required:

Lexmark strongly recommends that all customer currently using LPMC 3.0 through 3.4.0 update immediately to address this issue.

We apologize for any inconvenience this may cause and appreciate your prompt attention to this matter. If you have any questions or need assistance, please contact your Lexmark account team or contact the Technical Support Center. Contact information is available at https://support.lexmark.com/en_us/contact-support.html

 

Note:

Remote update to the LPMC v3.5.0 has been temporarily disabled to prevent disruption for customers who must update security rules. It will be re-enabled in February 2025.  Until then, users must be upgraded either manually or via their corporate deployment tools.