Other official information and services: www.belgium.be

Warning: RCE vulnerability in PaperCut print software, Patch Immediately!

Référence:

Advisory #2023-93

Version:

1.0

Logiciels concernés :

PaperCut NG versions before 22.1.3.

PaperCut MF versions before 22.1.3.

Type:

Remote Command Execution (RCE)

CVE/CVSS:

CVE-2023-39143: N/A

Date:

08/08/2023

Sources

https://www.papercut.com/kb/Main/securitybulletinjuly2023/

Risques

Papercut has released security updates for a critical remote code execution (RCE) vulnerability, CVE-2023-39143, affecting PaperCut MF or NG.

PaperCut MF is a printing management and control tool and PaperCut NG offers printing, copying, scanning, and specialty printing capabilities.

CVE-2023-39143 affects PaperCut servers running on Windows. The issue resides in the File upload feature wich could lead to remote code execution. Exploitation is possible when the external device integration setting is enabled. This setting is on by default with certain installations of PaperCut, such as the PaperCut NG Commercial version or PaperCut MF.

Vulnerable systems could allow a remote unauthenticated attacker to execute code with SYSTEM privileges.

CVE-2023-39143 has a high impact on the confidentiality, integrity and availability of the CIA triad.

Vigilance is required, there is a poc available, exploitation in the near future is highly likely.

Cl0P and LockBit exploited a similar RCE vulnerability in Papercut (CVE-2023-27350) in the past as an infection vector for ransomware campaigns.

The Centre for Cyber security Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyse system and network logs for any suspicious activity. If your organization has already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident.

Description

Print management software PaperCut NG/MF (before version 22.1.3) is vulnerable to path traversal allowing attackers to read, delete, and upload files. This could lead to remote code execution.

Like CVE-2023-27350, CVE-2023-39143 does not require attackers to have privileges nor is user interaction required.

CVE-2023-39143 does require chaining of other vulnerabilities, this is not an all in one solution for a ransomware actor. (CVE-2023-27350 was a one shot vulnerability).

Actions recommandées

The Centre for Cyber Security Belgium strongly recommends system administrators to take the following actions:

Update
Patch systems to version 22.1.3 or later

Scope
Check to see if you are vulnerable using the following command, which verifies if the server is patched.

curl -w “%{http_code}” -k –path-as-is “https://<IP>:<port>/custom-report-example/..\..\..\deployment\sharp\icons\home-app.png”

A 200-response code indicates that the server is not patched and vulnerable.
A 404-response means the server is patched and not vulnerable.

Références

https://thehackernews.com/2023/08/researchers-uncover-new-high-severity.html
https://cert.be/en/warning-ransomware-actors-are-actively-exploiting-critical-remote-code-execution-vulnerability
https://gbhackers.com/papercut-flaw-windows-servers