PaperCut recently fixed a critical security vulnerability in its NG/MF print management software that allows unauthenticated attackers to gain remote code execution on unpatched Windows servers.
Tracked as CVE-2023-39143, the flaw results from a chain of two path traversal weaknesses discovered by Horizon3 security researchers that enable threat actors to read, delete, and upload arbitrary files on compromised systems following low-complexity attacks that don’t require user interaction.
While it only impacts servers in non-default configurations where the external device integration setting is toggled, Horizon3 said in a report published on Friday that most Windows PaperCut servers have it enabled.
“This setting is on by default with certain installations of PaperCut, such as the PaperCut NG Commercial version or PaperCut MF,” Horizon3 said.
“Based on sample data we have collected at Horizon3 from real-world environments, we estimate that the vast majority of PaperCut installations are running on Windows with the external device integration setting turned on.”
You can use the following command to check if a server is vulnerable to CVE-2023-39143 attacks and is running on Windows (a 200 response indicates the server needs patching):
curl -w "%{http_code}" -k --path-as-is "https://<IP>:<port>/custom-report-example/......deploymentsharpiconshome-app.png"Admins who cannot immediately install security updates (as Horizon3 advises) can add only the IP addresses that need access to an allowlist using these instructions.
A Shodan search shows that roughly 1,800 PaperCut servers are currently exposed online, although not all are vulnerable to CVE-2023-39143 attacks.
Targeted by ransomware gangs, state hackers
PaperCut servers were targeted by several ransomware gangs earlier this year by exploiting another critical unauthenticated RCE vulnerability (CVE-2023–27350) and a high-severity information disclosure flaw (CVE-2023–27351).
The company disclosed on April 19th that these vulnerabilities were being actively exploited in attacks, urging admins and security teams to upgrade their servers urgently.
A few days after the initial disclosure, Horizon3 security researchers released an RCE Proof-of-Concept (PoC) exploit, opening the door for additional threat actors to target vulnerable servers.
Microsoft linked the attacks targeting PaperCut servers to the Clop and LockBit ransomware gangs, who used the access to steal corporate data from compromised systems.
In these data theft attacks, the ransomware operation took advantage of the ‘Print Archiving‘ feature that saves all documents sent through the PaperCut printing servers.
Almost two weeks after, Microsoft revealed that Iranian state-backed hacking groups tracked as Muddywater und APT35 also joined the ongoing assault.
CISA added the CVE-2023–27350 RCE bug to its list of actively exploited vulnerabilities on April 21st, ordering all U.S. federal agencies to secure their servers by May 12th, 2023.
