Horizon3 researchers have discovered a new flaw with PaperCut NG/MF print management software, currently tracked as CVE-2023-39143. The vulnerability does not have a CVSS score yet, but is categorized as “Very Critical.” In particular, this flaw affects Papercut servers running on Windows. It enables unauthenticated attackers to read, delete, and/or upload files to the server, potentially resulting in remote code execution in instances where the “External Device Integration” setting is enabled. (This setting is “ON” by default in most installations.) It is estimated that this vulnerability currently affects the vast majority of PaperCut customers. PaperCut and Horizon3 recommend upgrading to the latest version of their print management software, PaperCut NG/MF version 22.1.3.
PaperCut servers have been a popular target for criminals since Spring. On April 20th, 2023, another CVE was published, CVE-2023-27350, with a severity rating of 9.8 out of 10. The following month, Microsoft Threat Intelligence and the Cybersecurity and Infrastructure Security Agency (CISA) released separate advisories indicating that attacks utilizing this vulnerability against unpatched instances of PaperCut had expanded to malicious actors from all across the globe, including known ransomware gangs and state agencies. Similar to this earlier vulnerability, attackers can manipulate files without the need for any authentication or user interaction.
If immediately upgrading is not possible due to production or required uptime, it is recommended that network access be configured to segregate vulnerable PaperCut servers from any resources that are not absolutely necessary. Additionally, threat-hunting in any environments where a vulnerable server was present should be conducted, even after patching and/or segregating.
To read Horizon3’s full report, including commands to check if your version of PaperCut is vulnerable, visit: www.horizon3.ai/cve-2023-39143-papercut-path-traversal-file-upload-rce-vulnerability/
Microsoft’s original advisory regarding CVE-2023-27350: https://twitter.com/MsftSecIntel/status/1651346653901725696
CISA’s original advisory regarding CVE-2023-27350: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a