Headline
CVE-2023-27351: APRIL 19 UPDATE | PaperCut MF/NG vulnerability bulletin (March 2023)
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SecurityRequestFilter class. The issue results from improper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19226.
We have received two vulnerability reports from a 3rd party cyber security company (Trend Micro), for high/critical severity security issues in PaperCut MF/NG. We have evidence to suggest that unpatched servers are being exploited in the wild.
As a precaution, we are not able to reveal too much about these vulnerabilities. We have documented what we can disclose below.
Critical: Please note that as of 18th April, 2023 we have evidence to suggest that unpatched servers are being exploited in the wild, (particularly ZDI-CAN-18987 / PO-1216).
Our immediate advice is to upgrade your PaperCut Application Servers to one of the fixed versions listed below if you haven’t already.
If you suspect that your server has been compromised, we recommend taking server backups, then wiping the Application Server, and rebuilding the Application Server and restoring the database from a ‘safe’ backup point prior to when you discovered any suspicious behavior. We have also updated the FAQ “How do I know if my server has been exploited?” question below.
Important: Both of these vulnerabilities have been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later. We highly recommend upgrading to one of these versions containing the fix (see the Where can I get the upgrade? question below).
ZDI-CAN-18987 / PO-1216
(also identified as CVE-2023–27350)
We have confirmed that under certain circumstances this allows for an unauthenticated attacker to get Remote Code Execution (RCE) on a PaperCut Application Server. This could be done remotely and without the need to log in.
This vulnerability has been rated with a CVSS score of 9.8.
ZDI-CAN-19226 / PO-1219
(also identified as CVE-2023–27351)
We have confirmed that under certain circumstances this allows for an unauthenticated attacker to potentially pull information about a user stored within PaperCut MF or NG - including usernames, full names, email addresses, office/department info and any card numbers associated with the user. The attacker can also retrieve the hashed passwords for internal PaperCut-created users only (note that this does not include any password hashes for users sync’d from directory sources such as Microsoft 365 / Google Workspace / Active Directory and others). This could be done remotely and without the need to log in. We do not have any evidence of this vulnerability being used against customers at this point.
This vulnerability has been rated with a CVSS score of 8.2.
Product status and next steps
Which PaperCut products are impacted, and what are the actions required?
ZDI-CAN-18987 / PO-1216
CVE-2023–27350
ZDI-CAN-19226 / PO-1219
CVE-2023–27351
What versions are impacted?
PaperCut MF or NG version 8.0 or later, on all OS platforms
PaperCut MF or NG version 15.0 or later, on all OS platforms
Which PaperCut MF or NG components are impacted?
Application Servers are impacted
Site Servers are impacted
Application Servers are impacted
Which PaperCut components or products are NOT impacted?
PaperCut MF/NG secondary servers (Print Providers).
PaperCut MF/NG Direct Print Monitors (Print Providers).
PaperCut Hive.
PaperCut Pocket.
Print Deploy.
Mobility Print.
PaperCut User Client software.
PaperCut MF/NG secondary servers (Print Providers).
PaperCut MF/NG Direct Print Monitors (Print Providers).
PaperCut MF/NG site servers.
PaperCut Hive.
PaperCut Pocket.
Print Deploy.
Mobility Print.
PaperCut User Client software.
Next steps
We recommend that you upgrade all Application Servers and Site Servers (see Upgrade documentation)
You will not need to patch Secondary Servers (Print Providers / Direct Print Monitors) - but you can if you prefer.
We recommend that you upgrade all Application Servers and Site Servers (see Upgrade documentation). Even though the Site Server is not impacted by this vulnerability, you will need to upgrade them to match the version number of the Application Server.
You will not need to patch Secondary Servers (Print Providers / Direct Print Monitors) - but you can if you prefer.
FAQs
Q Where can I get the upgrade?
Please follow your usual upgrade procedure. Additional links on the ‘Check for updates’ page (accessed through the Admin interface > About > Version info > Check for updates) will allow customers to download fixes for previous major versions which are still supported (e.g. 20.1.7 and 21.2.11) as well as the current version available.
If you are using PaperCut MF, we highly recommend following your regular upgrade process. Your PaperCut partner or reseller information can also be found on the ‘About’ tab in the PaperCut admin interface.
Q Is there any impact from applying the upgrade?
There should be no negative impact from applying these security fixes. No other manual steps need to be taken.
Q Where are the release notes for these fixes?
You can see the release notes pages for PaperCut MF and NG which list all fixes included per version:
- MF - 20.1.7, 21.2.11, 22.0.9
- NG - 20.1.7, 21.2.11, 22.0.9
Q What are the CVSS scores for these vulnerabilities?
Vulnerability: ZDI-CAN-18987 / PO-1216
- Score: 9.8 (Critical)
- Breakdown: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability: ZDI-CAN-19226 / PO-1219
- Score: 8.2 (High)
- Breakdown: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Q Is there more information available about these vulnerabilities?
Not at this time - to give customers a chance to upgrade, we are not releasing further details about these vulnerabilities.
Trend Micro have also advised they will disclose further information (TBD) about the vulnerability on 10th May 2023. For more information, see https://www.zerodayinitiative.com/advisories/upcoming/ (filter on “PaperCut”).
Q Is there a mitigation for these vulnerabilities if I don’t want to upgrade?
ZDI-CAN-18987 / PO-1216:
- No practical pre-patch mitigation strategy has been identified. Customers will need to patch to address the issue.
ZDI-CAN-19226 / PO-1219:
- Apply “Allow list” restrictions under Options > Advanced > Security > Allowed site server IP addresses. Set this to only allow the IP addresses of verified Site Servers on your network.
Q How do I know if my server has been exploited?
There is not currently a 100% solid way to tell if your server(s) have been exploited.
We recommend a review of server access logs and virus and malware scanner results. From a PaperCut point of view we also recommend:
- Look for suspicious activity in Logs > Application Log, within the PaperCut admin interface.
- Keep an eye out in particular for any updates from a user called [setup wizard].
- Look for new (suspicious) users being created, or other configuration keys being tampered with.
- Look for any suspicious processes being run on the Application Server - particularly processes owned by pc-app.exe.
- If your Application Server server logs happen to be in debug mode, check to see if there are lines mentioning SetupCompleted at a time not correlating with the server installation or upgrade. Server logs can be found e.g. in [app-path]/server/logs/. where server.log is normally the most recent log file.
However, these are only examples of suspicious activity - if an attacker does gain access through an unpatched vulnerability, they may also work to cover their steps.
If you suspect that your server has been compromised, we recommend taking server backups, then wiping the Application Server, and rebuilding the Application Server and restoring the database from a ‘safe’ backup point prior to when you discovered any suspicious behavior.
Q Is there a maintenance release for versions 19 or older?
No - versions 19 and older are now “end of life”, as documented on our End of Life Policy page.
We recommend purchasing an updated license, which you can do online if you’re using PaperCut NG, or through your PaperCut Partner if you’re using PaperCut MF. You can find your PaperCut Partner contact information through the ‘About’ or ‘Help’ tab in the PaperCut administration interface.
Q I have a version 20 license, but no current M&S (maintenance and support) - can I still get this fix?
Yes! As long as you are running a version which is currently supported (version 20 or later) you can upgrade to whichever maintenance release version you’re licensed for. For example if you are licensed for version 20 but you don’t have a valid license for version 21, you can update to version 20.1.7 as above. See the ‘Where can I get the upgrade?’ question above for more details.
See our Upgrade Policy page for more information on licensing and upgrades.
Acknowledgements
PaperCut would like to thank the researchers working with Trend Micro for reporting these issues and working with us to help protect our customers:
- ZDI-CAN-19226 - Discovered by: Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative
- ZDI-CAN-18987 - Discovered by: Anonymous
Trend Micro have also advised they will disclose further information (TBD) about the vulnerability on 10th May 2023. For more information, see https://www.zerodayinitiative.com/advisories/published/ (filter on “PaperCut”).
Security Updates
In order to get notifications of security fixes please subscribe to our security notifications list via our sign up form.
Updates
Date
Update/Action
10th January 2023
Vulnerability reported to PaperCut, by Trend Micro (see ZDI-CAN-18987 and ZDI-CAN-19226).
8th March 2023
Released PaperCut MF and NG versions 20.1.7, 21.2.11 and 22.0.9 containing a fix for these vulnerabilities.
Published this KB article documenting the vulnerability information.
Sent communications to PaperCut partners and PaperCut security notifications email list.
14th March 2023
Trend Micro published additional details of the vulnerability on their website: ZDI-CAN-18987 and ZDI-CAN-19226.
19th April 2023
Updated this KB with new information discovered on the 18th April - indicating evidence to suggest that unpatched servers are being exploited in the wild.
Categories: FAQ, Security and Privacy
Keywords:
Related news
LockBit maintained its position as the top ransomware attacker and was also observed expanding into the Mac space. (Read more...) The post Ransomware review: May 2023 appeared first on Malwarebytes Labs.
Microsoft has confirmed that the active exploitation of PaperCut servers is linked to attacks designed to deliver Cl0p and LockBit ransomware families. The tech giant's threat intelligence team is attributing a subset of the intrusions to a financially motivated actor it tracks under the name Lace Tempest (formerly DEV-0950), which overlaps with other hacking groups like FIN11, TA505, and Evil
Categories: News Tags: PaperCut Tags: server Tags: exploit Tags: attack Tags: authentication Tags: update Tags: patch We take a look at urgent updates needed for users of PaperCut, after two exploits were found in the wild. (Read more...) The post Update your PaperCut application servers now: Exploits in the wild appeared first on Malwarebytes Labs.
Customers should apply updates to the print management software used by more than 100 million organizations worldwide, with typical US customers found in the SLED sector.