Another zero-day vulnerability has been identified in PaperCut MF/NG print management software. The vulnerability is tracked as CVE-2023-39143 and has been rated critical with a CVSS v3.1 base score of 9.8/10. Successful exploitation of the flaw would allow an unauthenticated attacker to read/write arbitrary files, and depending on the configuration, achieve remote code execution. Most configurations have this setting enabled and are therefore vulnerable.
The vulnerability affects PaperCut servers running on Windows. Remote code execution is possible when the external device integration setting is enabled. This setting is enabled by default in some versions, such as PaperCut NG Commercial and PaperCut MF, and while not al versions have this setting enabled by default, this setting is commonly enabled, according to researchers at Horizon3, which discovered the vulnerability. Details of the vulnerability have been withheld to provide users time to apply the recommended mitigations or upgrade to a patched version of the solution.
The vulnerability affects virtually all PaperCut versions and has been addressed, along with two other vulnerabilities – CVE-2023-39143 and CVE-2022-21724 – in the latest releases of PaperCut. The latest version also includes several security improvements. No evidence has been found of any instances of exploitation in the wild, but the vulnerability will certainly be of interest to advanced persistent threat groups and ransomware actors, who extensively exploited a critical PaperCut vulnerability (CVE-2023-27350) that was disclosed earlier this year. The latest vulnerability can similarly be exploited by an unauthenticated remote attacker to achieve code execution; however, exploitation of the flaw is more complex as multiple vulnerabilities need to be chained to exploit the flaw, although the attack is still considered to be low complexity.
Due to the high risk of exploitation, immediate patching is strongly recommended. The Horizon3 researchers have released a command that can be run to check if a server (running on Windows) is vulnerable to the latest flaw. If a 200 response is received, the server is vulnerable and PaperCut needs to be updated.
curl -w “%{http_code}” -k –path-as-is “https://<IP>:<port>/custom-report-example/..\..\..\deployment\sharp\icons\home-app.png”