THE THREAT
Two high/critical severity security issues have been discovered in PaperCut MF/NG. There is evidence that unpatched servers are being exploited in the wild. The vulnerabilities have been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9 and later. Upgrading to one of these versions containing the fix is highly recommended.
Vulnerabilities:
- ZDI-CAN-18987 / PO-1216 (CVE-2023–27350): Allows an unauthenticated attacker to get Remote Code Execution (RCE) on a PaperCut Application Server. They are rated with a CVSS score of 9.8.
- ZDI-CAN-19226 / PO-1219 (CVE-2023–27351): Allows an unauthenticated attacker to potentially pull user information, including usernames, full names, email addresses, office/department info, and any proximity card numbers assigned to the user. They are rated with a CVSS score of 8.2.
Organizations should upgrade all Application Servers and Site Servers, with public-facing servers, being the top priority. For more information on how to upgrade and recover from a compromise, refer to the original PaperCut bulletin.
If you cannot upgrade to a security patch, lock down network access to the server(s) by blocking all inbound traffic from external IPs to the web management port (ports 9191 and 9192 by default) and applying other security measures detailed in the bulletin.
What we’re doing about it
- New detections have been deployed for eSentire MDR for Network
- The eSentire Threat Intelligence team has performed threat hunts across the client base for known related Indicators of Compromise
- Known malicious IP addresses have been added to the eSentire Global Deny list
- eSentire Managed Vulnerability Service (MVS) will add plugins for these vulnerabilities as they become available
- eSentire security teams continue to track this vulnerability for additional details and detection opportunities
What you should do about it
- After performing a business impact review, apply the relevant security patches provided by PaperCut
- If patching is not immediately possible, blocking all inbound traffic from external IPs to the web management port (ports 9191 and 9192 by default)
Additional information
On January 10th, 2023, Trend Micro reported a security vulnerability to PaperCut. In response, PaperCut released fixes for their MF and NG versions on March 8th, 2023, while keeping their partners and customers informed through various communication channels. Importantly, they confirmed that these vulnerabilities did not impact Multiverse and Print Logger. Trend Micro shared further technical details on their website on March 14th, 2023.
In early April, PaperCut provided updates about unpatched servers being exploited, and published a blog post on the security issue. PaperCut revised their FAQ section to include alternative options for those unable to upgrade to the security patch. They also added more FAQs to explain their proactive support for customers and shared details about exploit detection. Organizations that have yet to patch should assume a breach. Patches have been available since early March 2023, and impacted organizations must apply these patches promptly to mitigate the risk of further attacks.
On April 19th, Horizon3 released a working Proof of Concept (POC) on GitHub, reducing the attack complexity severely. Horizon3 proofs-of-concept have a history of stability, reliability, and reducing the complexity of attacks. Additionally, printer services like PaperCut should be within a trusted perimeter; however, organizations should review their attack surface for misconfigurations and business expectations exposing printers to the Internet. Regular review and audit of network configurations help identify potential vulnerabilities and ensure a more secure environment.
The eSentire Threat Intelligence is actively tracking emerging details and incidents and has observed attacks leading to the deployment of cryptocurrency miners in late April.
References:
[1] https://www.papercut.com/kb/Main/PO-1216-and-PO-1219
[2] PaperCut CVE-2023-27350 Deep Dive and Indicators of Compromise
[3]GitHub - horizon3ai/CVE-2023-27350: Proof of Concept Exploit for PaperCut CVE-2023-27350
