HQ/EMEAFind out how we can help your business
PaperCut recently patched a critical security bug in its NG/MF print management software, enabling unauthorised threat actors to acquire remote code execution (RCE) on outdated Windows servers.
The security vulnerability in question is CVE-2023-39143. This newly discovered flaw results from the sequence of two path traversal bugs that allow threat actors to read, upload, or delete arbitrary files on infected systems following low-complexity campaigns that do not require user interaction.
However, this week’s recent research said the bug only affects servers in non-default configurations where the external device integration setting is active. Fortunately, the Windows PaperCut servers have toggled it off as of now.
The researchers said that the earlier-mentioned setting is on by default with specific installations of PaperCut, like the PaperCut NG commercial version or the PaperCut MF version.
Unfortunately, the recent sample data collected by the researchers from the current real-world environments showed that most of the installations are operating on Windows with the external device integration setting toggled on. Therefore, threat actors could exploit these infrastructures to execute RCE attacks.
The PaperCut flaw is identifiable through specific commands.
Researchers claimed that admins should use a command to check if a server that runs on a flawed PaperCut is susceptible to CVE-2023-39143 attacks and is operating on Windows. An example of this detail is that if the server has a 200 response, it needs updating.
On the other hand, admins who cannot install security updates immediately could add the IP addresses that need access to an allowlist via specific instructions.
Separate research revealed that approximately 1,800 PaperCut servers are currently exposed online, but not all are prone to threat actors that will exploit the CVE-2023-39143 bug.
Several ransomware groups targeted the servers earlier this year by levering another critical unauthenticated RCE vulnerability tracked as (CVE-2023-27350) and a high-severity information disclosure vulnerability, CVE-2023-27351.
The PaperCut company revealed last April that these flaws suffer from active exploitation from different attackers. Hence, they urge security teams and administrators to upgrade their servers urgently.
The researchers who discovered the attack have released an RCE PoC exploit. Therefore, the new details could enable threat actors to invent new types of campaigns that could abuse the recent PaperCut vulnerability.
