Researchers Uncover New High-Severity Vulnerability in PaperCut Software

Cyber Security Threat Summary:
Horizon3 researchers recently disclosed a new high-severity vulnerability in PaperCut print management software for Windows that could result in remote code execution in certain configurations. Tracked as CVE-2023-39143, the flaw impacts PaperCut NG/MF prior to version 22.1.3. A successful exploit of CVE-2023-39143 could potentially allow unauthenticated attackers to read, delete, and upload arbitrary files to the PaperCut MF/NG application server. According to Horizon3, “file upload leading to remote code execution is possible when the external device integration setting is enabled. This setting is on by default with certain installations of PaperCut, such as the PaperCut NG Commercial version or PaperCut MF.”

“Based on sample data we have collected at Horizon3 from real-world environments, we estimate that the vast majority of PaperCut installations are running on Windows with the external device integration setting turned on,” stated researchers in a recent blog post.

Security Officer Comments:
CVE-2023-39143 can be exploited in low-complexity attacks as it does not require user interaction.

Based on a Shodan scan, there are approximately 1800 PaperCut servers currently exposed online. Although no details regarding active exploitation were disclosed, this leaves ample opportunity for threat actors to target instances vulnerable to CVE-2023-39143.

In the past, PaperCut servers have been targeted in attacks, with threat actors exploiting another RCE vulnerability (CVE-2023-27350) and an information disclosure flaw (CVE-2023–27351) in PaperCut’s print management software to deliver Cobalt Strike and ransomware payloads. Iranian-stated back actors were also observed exploiting these flaws to obtain initial access to target networks.

Suggested Correction(s):
CVE-2023-39143 was addressed with the release of PaperCut NG and PaperCut MF 22.1.3. To determine if your server is vulnerable to attacks the following command has been released:

curl -w "%{http_code}" -k --path-as-is "https://:/custom-report-example/..\\..\\..\\deployment\\sharp\\icons\\home-app.png"

Admins unable to immediately apply the updates can limit access to the application server by creating an access allow list as instructed below: