PaperCut has recently fixed a critical security vulnerability, CVE-2023-39143, in its NG/MF print management software. This flaw could enable unauthenticated attackers to execute remote code on unpatched Windows servers. The issue arises from two path traversal weaknesses that allow threat actors to read, delete, and upload arbitrary files on compromised systems. These low-complexity attacks do not require user interaction.
This vulnerability only affects servers in non-default configurations where the external device integration setting is enabled. According to a report by Horizon3, most Windows PaperCut servers have this setting enabled. 'This setting is on by default with certain installations of PaperCut, such as the PaperCut NG Commercial version or PaperCut MF,' Horizon3 stated. They further estimated that the majority of PaperCut installations are running on Windows with the external device integration setting turned on.
A command can be used to check if a server is vulnerable to CVE-2023-39143 attacks and is running on Windows. If the server returns a 200 response, it requires patching. For those who cannot immediately install security updates, Horizon3 advises adding only the necessary IP addresses to an allowlist.
A Shodan search reveals that approximately 1,800 PaperCut servers are currently exposed online, although not all are vulnerable to CVE-2023-39143 attacks. Earlier this year, PaperCut servers were targeted by several ransomware gangs exploiting another critical unauthenticated RCE vulnerability, CVE-2023–27350, and a high-severity information disclosure flaw, CVE-2023–27351. PaperCut disclosed on April 19th that these vulnerabilities were being actively exploited, urging admins and security teams to urgently upgrade their servers.
Shortly after the initial disclosure, Horizon3 security researchers released an RCE Proof-of-Concept (PoC) exploit, paving the way for more threat actors to target vulnerable servers. Microsoft linked the attacks on PaperCut servers to the Clop and LockBit ransomware gangs, who used the access to steal corporate data from compromised systems. In these data theft attacks, the ransomware operation exploited the 'Print Archiving' feature that saves all documents sent through the PaperCut printing servers.
Around two weeks later, Microsoft revealed that Iranian state-backed hacking groups known as Muddywater and APT35 had also joined the ongoing attack. On April 21st, CISA added the CVE-2023–27350 RCE bug to its list of actively exploited vulnerabilities, ordering all U.S. federal agencies to secure their servers by May 12th, 2023.