Headline
Attackers Abuse PaperCut RCE Flaws to Take Over Enterprise Print Servers
Customers should apply updates to the print management software used by more than 100 million organizations worldwide, with typical US customers found in the SLED sector.
Security researchers have revealed new details about how attackers are exploiting two flaws in the PaperCut enterprise print management system — used by more than 100 million customers worldwide — to bypass authentication and execute remote code. The flaws once again highlight the risk that enterprise printers and related systems, an often overlooked threat, pose to the overall security of organizations.
Researchers from PaperCut as well as security companies already have warned that attackers are exploiting the vulnerabilities — patched by PaperCut in a March 8 update to its PaperCut MF and NG products — to take over unpatched versions of the software. Moreover, the Cybersecurity and Infrastructure Security Agency (CISA) added the flaws to its catalog of known exploited vulnerabilities on April 21.
The Zero Day Initiative tracks the flaws as ZDI-CAN-18987 and ZDI-CAN-19226; they also are being tracked as CVE-2023-27350 and CVE-2023-27351, respectively, by NIST’s National Vulnerability Database. The flaws affect PaperCut MF and NG version 8.0 and later, on all OS platforms, according to PaperCut.
Researchers at Horizon3.ai released proof-of-concept exploit code for CVE-2023-27350 — the more dangerous of the two bugs with a CVSS rating of 9.8 versus its companion flaw’s rating of 8.2 — on Monday.
Abusing CVE-2023-27350
The Horizon3.ai team also included a technical analysis of how attackers are abusing “the built-in ‘Scripting’ functionality for printers” to abuse the RCE exploit. The Device Scripting page of the system enables the administrator to develop hooks to customize printing across the enterprise using JavaScript-based scripts and executed in the context of the PrintCut service, which on Windows runs as NT AUTHORITY\SYSTEM, researchers explained.
Though PaperCut’s Web application’s use of dynamic form fields based on the last request made developing a script to interact with the site less straightforward, they demonstrate how they were able to do so in a proof-of-concept exploit they released on GitHub.
CVE-2023-27350 exists within the SetupCompleted class and results from improper access control, according to its listing on the Zero Day Initiative website.
“An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM,” according to the listing.
Meanwhile, CVE-2023-27351, also an authentication-bypass RCE bug affecting PaperCut NG, exists within the SecurityRequestFilter class as a result of improper implementation of the authentication algorithm, according to its listing on the Zero Day Initiative website.
Uncovering the PaperCut Bugs
Horizon3.ai’s detailed analysis follows a warning by PaperCut on April 19 that the flaws found in PaperCut NG were under active attack, urging organizations to update to the latest version of the product.
The company said in an advisory that it received its first report from a customer of suspicious activity on their PaperCut server on April 17, though later analysis revealed that the activity may have started as soon as April 13.
Researchers from Trend Micro originally reported the issues to PaperCut, which has credited Piotr Bazydlo (@chudypb) for discovering CVE-2023-27351 and an anonymous researcher for discovering CVE-2023-27350.
PaperCut also acknowledged a security research team from security management firm Huntress — including Joe Slowik, Caleb Stewart, Stuart Ashenbrenner, John Hammond, Jason Phelps, Sharon Martin, Kris Luzadre, Matt Anderson, and Dave Kleinatland — for aiding the company’s investigation of the flaws.
On April 21, the Huntress researchers revealed that attackers were exploiting the vulnerabilities to take over compromised servers using both the legitimate Atera and Syncro remote management and maintenance software tools.
“Based on preliminary analysis, both appear to be legitimate copies of these products and do not possess any built-in or added malicious capability,” the Huntress researchers wrote.
While the threats are split into two CVEs, they both “ultimately rely on an authentication bypass that leads to further compromise as an administrative user within the PaperCut Application Server,” the researchers wrote.
Once a threat actor uses a flaw or both flaws to bypass authentication, he or she “may then execute arbitrary code on the server running in the context of the NT AUTHORITY\SYSTEM account,” the researchers wrote.
Huntress researchers also observed post-exploitation evidence in the form of a Truebot payload installation that suggest exploitation of the PaperCut flaws could be a precursor to future Clop ransomware activity based on previous investigation of similar activity, according to Huntress.
Huntress security researcher Caleb Stewart also recreated a proof-of-concept exploit to demonstrate how CVE-2023-27350 could be exploited, a video of which is included in the post.
Who’s at Cyber-Risk
PaperCut MF is print management software to support various devices and manage print configurations for printing across an enterprise network. PaperCut NG is companion software for detailed print-job tracking and reporting aimed at helping organizations cut printing paper waste.
The PaperCut print management system has more than a hundred million users in organizations worldwide to help companies minimize waste and facilitate printing across the enterprise, according to PaperCut. In the United States, state, local, and education (SLED) environments are among the typical organizations using the software.
A Shodan query for http.html:"papercut" http.html:"print" showed approximately 1,700 Internet exposed PaperCut servers, with education customers comprising 450 of those results, according to Horizon3.ai.
In its protected environments, Huntress researchers reported observing 1,014 total Windows hosts with PaperCut installed, with 9087 of those hosts spread across 710 distinct organizations vulnerable to exploit, they said.
Only three total macOS hosts, two of which were vulnerable, had PaperCut installed in the environments they observed, the researchers added, noting that they sent incident reports to all customers affected and recommended updates.
Detection and Mitigation
PaperCut included a list of indicators of compromise for its customers in its advisory and advised them to upgrade, assuring that there “should be no negative impact” from applying the security fixes.
However, if a customer can’t upgrade to the latest version — which could be true particularly with an older application version — the company recommended that customers lock down network access to the affected server.
To do this, they can lock all inbound traffic from external IPs to the Web management port (port 9191 and 9192 by default) and block all traffic inbound to the Web management portal on the firewall to the server.
To mitigate CVE-2023-27351, customers also can apply “Allow list” restrictions to the server found under the Options > Advanced > Security > Allowed site server IP addresses by setting it to only allow the IP addresses of verified Site Servers on their networks, according to PaperCut.
Related news
Cybersecurity researchers have discovered a new high-severity security flaw in PaperCut print management software for Windows that could result in remote code execution under specific circumstances. Tracked as CVE-2023-39143 (CVSS score: 8.4), the flaw impacts PaperCut NG/MF prior to version 22.1.3. It has been described as a combination of a path traversal and file upload vulnerability. "
This Metasploit module leverages an authentication bypass in PaperCut NG. If necessary it updates Papercut configuration options, specifically the print-and-de vice.script.enabled and print.script.sandboxed options to allow for arbitrary code execution running in the builtin RhinoJS engine. This module logs at most 2 events in the application log of papercut. Each event is tied to modification of server settings.
The threat actors behind the nascent Buhti ransomware have eschewed their custom payload in favor of leaked LockBit and Babuk ransomware families to strike Windows and Linux systems. "While the group doesn't develop its own ransomware, it does utilize what appears to be one custom-developed tool, an information stealer designed to search for and archive specified file types," Symantec said in a
U.S. cybersecurity and intelligence agencies have warned of attacks carried out by a threat actor known as the Bl00dy Ransomware Gang that attempt to exploit vulnerable PaperCut servers against the education facilities sector in the country. The attacks took place in early May 2023, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) said in a
A ransomware attack on the city of Dallas, Texas is still disrupting many social services as of Wednesday, including hampering police communications and operations and potentially putting personal information at risk.
By Deeba Ahmed The two groups exploiting the vulnerability are Mango Sandstorm and Mint Sandstorm. Both are linked to the Iranian government and intelligence agencies. This is a post from HackRead.com Read the original post: Microsoft reports two Iranian hacking groups exploiting PaperCut flaw
Iranian nation-state groups have now joined financially motivated actors in actively exploiting a critical flaw in PaperCut print management software, Microsoft said. The tech giant's threat intelligence team said it observed both Mango Sandstorm (Mercury) and Mint Sandstorm (Phosphorus) weaponizing CVE-2023-27350 in their operations to achieve initial access. "This activity shows Mint
LockBit maintained its position as the top ransomware attacker and was also observed expanding into the Mac space. (Read more...) The post Ransomware review: May 2023 appeared first on Malwarebytes Labs.
Cybersecurity researchers have found a way to exploit a recently disclosed critical flaw in PaperCut servers in a manner that bypasses all current detections. Tracked as CVE-2023-27350 (CVSS score: 9.8), the issue affects PaperCut MF and NG installations that could be exploited by an unauthenticated attacker to execute arbitrary code with SYSTEM privileges. While the flaw was patched by the
AI-generated spam comments on Amazon, the latest on the 3CX supply chain attack and more security headlines from the past week.
Microsoft has confirmed that the active exploitation of PaperCut servers is linked to attacks designed to deliver Cl0p and LockBit ransomware families. The tech giant's threat intelligence team is attributing a subset of the intrusions to a financially motivated actor it tracks under the name Lace Tempest (formerly DEV-0950), which overlaps with other hacking groups like FIN11, TA505, and Evil
PaperCut NG/MG version 22.0.4 suffers from an authentication bypass vulnerability.
Categories: News Tags: PaperCut Tags: server Tags: exploit Tags: attack Tags: authentication Tags: update Tags: patch We take a look at urgent updates needed for users of PaperCut, after two exploits were found in the wild. (Read more...) The post Update your PaperCut application servers now: Exploits in the wild appeared first on Malwarebytes Labs.
Print management software provider PaperCut said that it has "evidence to suggest that unpatched servers are being exploited in the wild," citing two vulnerability reports from cybersecurity company Trend Micro. "PaperCut has conducted analysis on all customer reports, and the earliest signature of suspicious activity on a customer server potentially linked to this vulnerability is 14th April 01
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The three vulnerabilities are as follows - CVE-2023-28432 (CVSS score - 7.5) - MinIO Information Disclosure Vulnerability CVE-2023-27350 (CVSS score - 9.8) - PaperCut MF/NG Improper Access Control
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SecurityRequestFilter class. The issue results from improper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19226.