A critical severity flaw in PaperCut NG and PaperCut MF print management applications that can allow unauthenticated attackers to perform remote code execution (RCE) on vulnerable Windows servers. Any use of the affected PaperCut software prior to version 22.1.3 on Windows that is exposed to the internet is vulnerable to exploitation. For the best security, servers should not be exposed to the internet without a web application firewall in place, which will protect your environment from unwanted traffic. Additionally, using an IP address allow-list would provide further restrictions on who can gain access to or communicate with your environment. Researchers at Horizon3 discovered this vulnerability at the end of May, and immediately reported their findings to PaperCut, who worked with them to test interim mitigation builds before releasing a fix for this flaw at the end of July, which is contained in patch version 22.1.3.
The vulnerability tracked as CVE-2023-39143 is a chained path traversal flaw, that requires two path traversal issues to be exploited together in order to compromise a server. These flaws have not been tracked by separate CVEs but instead this has been defined as one vulnerability with the potential for exploitation. Despite the complexity of an exploit, the severity of this vulnerability has been rated as critical, with a CVSS base score of 9.4/10. If an attacker has direct access to the server IP then they are able to exploit this vulnerability without the need for prior authentication. An exploit allows attackers to upload, read, and delete files on the server. When an external device is configured to be integrated to the vulnerable server, then attackers can use their file modification to perform remote code execution.
To mitigate this flaw, users and server administrators should update to the latest release version, 22.1.3, which contains the necessary patch for this vulnerability. It is possible to check if the PaperCut server you are running is vulnerable to this flaw by performing command checks to determine if it is unpatched and running on Windows.
curl -w “%{http_code}” -k –path-as-is “https://<IP>:<port>/custom-report-example/..\..\..\deployment\sharp\icons\home-app.png”
These command checks will return the response 200 if the server requires patching, or 404 if the server is already patched, or is not running on Windows and therefore is also not vulnerable to attack.
“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”
Aim Ltd Chief Technology Officer (CTO)