Update your PaperCut application servers now: Exploits in the wild

PaperCut, maker of print management solutions, has urged product users to update as soon as possible. A security vulnerability which exploits unpatched servers has been seen in the wild, with serious ramifications for any organisation impacted.

Two specific vulnerabilities are at the heart of this alert, and are ranked with severity scores of 9.8 (critical) and 8.2 (high) respectively. Full information about the individual security flaws has not been revealed, in order to reduce the likelihood of more attackers making use of them.

Mitigation

At time of writing, both security issues have been addressed with patches. If you update your PaperCut application servers, you are no longer at risk. A recent check in security tool Shodan’s search functionality highlights roughly 1,700 software instances currently exposed to the internet. These flaws are quite severe, so it’s absolutely worth your time to get things updated as soon as possible.

From the Updating FAQ:

  • Please follow your usual upgrade procedure. Additional links on the ‘Check for updates’ page (accessed through the Admin interface > About > Version info > Check for updates) will allow customers to download fixes for previous major versions which are still supported (e.g. 20.1.7 and 21.2.11) as well as the current version available.
  • If you are using PaperCut MF, we highly recommend following your regular upgrade process. Your PaperCut partner or reseller information can also be found on the ‘About’ tab in the PaperCut admin interface.

If you’re unable to upgrade

PaperCut advises those who are unable to apply the patches to follow the below steps:

  • Block all inbound traffic from external IPs to the web management port (port 9191 and 9192 by default)
  • Block all traffic inbound to the web management portal on the firewall to the server. Note: this will prevent lateral movement from internal hosts but management of the PaperCut service can only be performed on that asset.
  • Apply “Allow list” restrictions under Options > Advanced > Security > Allowed site server IP addresses. Set this to only allow the IP addresses of verified Site Servers on your network. Note this only addresses ZDI-CAN-19226 / PO-1219.

Exploits

The two exploits in question are:

CVE-2023-27350: This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability.

CVE-2023-27351: This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The issue results from improper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system.

In both cases, compromised systems could be used to perform additional exploitation after the initial attack. Arbitrary code can be deployed, or even ransomware if that’s part of the attacker’s toolkit. The relative ease with which these exploits can be launched is just one reason for the high threat severity score. Indeed, researchers quickly discovered two types of (legitimate) remote management software being used in these attacks. These management tools are used to grant a potential form of persistent remote access to the target network. From here, they can burrow in ever deeper without the affected organisation noticing.

It will probably be a while before all possible patchable installations are running the necessary updates. If you’re potentially affected, do your part and head over to the updates page immediately.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

https://blog.malwarebytes.com/feed/