CVE-2023-27351: APRIL 19 UPDATE | PaperCut MF/NG vulnerability bulletin (March 2023)

We have received two vulnerability reports from a 3rd party cyber security company (Trend Micro), for high/critical severity security issues in PaperCut MF/NG. We have evidence to suggest that unpatched servers are being exploited in the wild.

As a precaution, we are not able to reveal too much about these vulnerabilities. We have documented what we can disclose below.

Critical: Please note that as of 18th April, 2023 we have evidence to suggest that unpatched servers are being exploited in the wild, (particularly ZDI-CAN-18987 / PO-1216).

Our immediate advice is to upgrade your PaperCut Application Servers to one of the fixed versions listed below if you haven’t already.

If you suspect that your server has been compromised, we recommend taking server backups, then wiping the Application Server, and rebuilding the Application Server and restoring the database from a ‘safe’ backup point prior to when you discovered any suspicious behavior. We have also updated the FAQ “How do I know if my server has been exploited?” question below.

Important: Both of these vulnerabilities have been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later. We highly recommend upgrading to one of these versions containing the fix (see the Where can I get the upgrade? question below).

ZDI-CAN-18987 / PO-1216

(also identified as CVE-2023–27350)

We have confirmed that under certain circumstances this allows for an unauthenticated attacker to get Remote Code Execution (RCE) on a PaperCut Application Server. This could be done remotely and without the need to log in.

This vulnerability has been rated with a CVSS score of 9.8.

ZDI-CAN-19226 / PO-1219

(also identified as CVE-2023–27351)

We have confirmed that under certain circumstances this allows for an unauthenticated attacker to potentially pull information about a user stored within PaperCut MF or NG - including usernames, full names, email addresses, office/department info and any card numbers associated with the user. The attacker can also retrieve the hashed passwords for internal PaperCut-created users only (note that this does not include any password hashes for users sync’d from directory sources such as Microsoft 365 / Google Workspace / Active Directory and others). This could be done remotely and without the need to log in. We do not have any evidence of this vulnerability being used against customers at this point.

This vulnerability has been rated with a CVSS score of 8.2.

Product status and next steps

Which PaperCut products are impacted, and what are the actions required?

ZDI-CAN-18987 / PO-1216
CVE-2023–27350

ZDI-CAN-19226 / PO-1219
CVE-2023–27351

What versions are impacted?

PaperCut MF or NG version 8.0 or later, on all OS platforms

PaperCut MF or NG version 15.0 or later, on all OS platforms

Which PaperCut MF or NG components are impacted?

Application Servers are impacted
Site Servers are impacted

Application Servers are impacted

Which PaperCut components or products are NOT impacted?

PaperCut MF/NG secondary servers (Print Providers).
PaperCut MF/NG Direct Print Monitors (Print Providers).
PaperCut Hive.
PaperCut Pocket.
Print Deploy.
Mobility Print.
PaperCut User Client software.

PaperCut MF/NG secondary servers (Print Providers).
PaperCut MF/NG Direct Print Monitors (Print Providers).
PaperCut MF/NG site servers.
PaperCut Hive.
PaperCut Pocket.
Print Deploy.
Mobility Print.
PaperCut User Client software.

Next steps

We recommend that you upgrade all Application Servers and Site Servers (see Upgrade documentation)

You will not need to patch Secondary Servers (Print Providers / Direct Print Monitors) - but you can if you prefer.

We recommend that you upgrade all Application Servers and Site Servers (see Upgrade documentation). Even though the Site Server is not impacted by this vulnerability, you will need to upgrade them to match the version number of the Application Server.

You will not need to patch Secondary Servers (Print Providers / Direct Print Monitors) - but you can if you prefer.

FAQs

Q Where can I get the upgrade?

Please follow your usual upgrade procedure. Additional links on the ‘Check for updates’ page (accessed through the Admin interface > About > Version info > Check for updates) will allow customers to download fixes for previous major versions which are still supported (e.g. 20.1.7 and 21.2.11) as well as the current version available.

If you are using PaperCut MF, we highly recommend following your regular upgrade process. Your PaperCut partner or reseller information can also be found on the ‘About’ tab in the PaperCut admin interface.

Q Is there any impact from applying the upgrade?

There should be no negative impact from applying these security fixes. No other manual steps need to be taken.

Q Where are the release notes for these fixes?

You can see the release notes pages for PaperCut MF and NG which list all fixes included per version:

• MF - 20.1.7, 21.2.11, 22.0.9
• NG - 20.1.7, 21.2.11, 22.0.9

Q What are the CVSS scores for these vulnerabilities?

Vulnerability: ZDI-CAN-18987 / PO-1216

• Score: 9.8 (Critical)
• Breakdown: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability: ZDI-CAN-19226 / PO-1219

• Score: 8.2 (High)
• Breakdown: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Q Is there more information available about these vulnerabilities?

Not at this time - to give customers a chance to upgrade, we are not releasing further details about these vulnerabilities.

Trend Micro have also advised they will disclose further information (TBD) about the vulnerability on 10th May 2023. For more information, see https://www.zerodayinitiative.com/advisories/upcoming/ (filter on “PaperCut”).

Q Is there a mitigation for these vulnerabilities if I don’t want to upgrade?

ZDI-CAN-18987 / PO-1216:

• No practical pre-patch mitigation strategy has been identified. Customers will need to patch to address the issue.

ZDI-CAN-19226 / PO-1219:

• Apply “Allow list” restrictions under Options > Advanced > Security > Allowed site server IP addresses. Set this to only allow the IP addresses of verified Site Servers on your network.

Q How do I know if my server has been exploited?

There is not currently a 100% solid way to tell if your server(s) have been exploited.

We recommend a review of server access logs and virus and malware scanner results. From a PaperCut point of view we also recommend:

• Look for suspicious activity in Logs > Application Log, within the PaperCut admin interface.
• Keep an eye out in particular for any updates from a user called [setup wizard].
• Look for new (suspicious) users being created, or other configuration keys being tampered with.
• Look for any suspicious processes being run on the Application Server - particularly processes owned by pc-app.exe.
• If your Application Server server logs happen to be in debug mode, check to see if there are lines mentioning SetupCompleted at a time not correlating with the server installation or upgrade. Server logs can be found e.g. in [app-path]/server/logs/. where server.log is normally the most recent log file.

However, these are only examples of suspicious activity - if an attacker does gain access through an unpatched vulnerability, they may also work to cover their steps.

If you suspect that your server has been compromised, we recommend taking server backups, then wiping the Application Server, and rebuilding the Application Server and restoring the database from a ‘safe’ backup point prior to when you discovered any suspicious behavior.

Q Is there a maintenance release for versions 19 or older?

No - versions 19 and older are now “end of life”, as documented on our End of Life Policy page.

We recommend purchasing an updated license, which you can do online if you’re using PaperCut NG, or through your PaperCut Partner if you’re using PaperCut MF. You can find your PaperCut Partner contact information through the ‘About’ or ‘Help’ tab in the PaperCut administration interface.

Q I have a version 20 license, but no current M&S (maintenance and support) - can I still get this fix?

Yes! As long as you are running a version which is currently supported (version 20 or later) you can upgrade to whichever maintenance release version you’re licensed for. For example if you are licensed for version 20 but you don’t have a valid license for version 21, you can update to version 20.1.7 as above. See the ‘Where can I get the upgrade?’ question above for more details.

See our Upgrade Policy page for more information on licensing and upgrades.

Acknowledgements

PaperCut would like to thank the researchers working with Trend Micro for reporting these issues and working with us to help protect our customers:

• ZDI-CAN-19226 - Discovered by: Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative
• ZDI-CAN-18987 - Discovered by: Anonymous

Trend Micro have also advised they will disclose further information (TBD) about the vulnerability on 10th May 2023. For more information, see https://www.zerodayinitiative.com/advisories/published/ (filter on “PaperCut”).

Security Updates

In order to get notifications of security fixes please subscribe to our security notifications list via our sign up form.

Updates

Date

Update/Action

10th January 2023

Vulnerability reported to PaperCut, by Trend Micro (see ZDI-CAN-18987 and ZDI-CAN-19226).

8th March 2023

Released PaperCut MF and NG versions 20.1.7, 21.2.11 and 22.0.9 containing a fix for these vulnerabilities.
Published this KB article documenting the vulnerability information.
Sent communications to PaperCut partners and PaperCut security notifications email list.

14th March 2023

Trend Micro published additional details of the vulnerability on their website: ZDI-CAN-18987 and ZDI-CAN-19226.

19th April 2023

Updated this KB with new information discovered on the 18th April - indicating evidence to suggest that unpatched servers are being exploited in the wild.

Categories: FAQ, Security and Privacy

Keywords: