Threat actors are actively taking advantage of critical vulnerabilities present in the PaperCut MF/NG print management software.
This exploitation aims to plant Atera remote management software onto the targeted servers to gain control over them. From more than 70,000 companies globally, it has over 100 million active users.
The vulnerabilities affecting the PaperCut MF/NG print management software are tracked as follows:-
Remote threat actors can exploit these vulnerabilities to gain unauthorized access and execute arbitrary code on PaperCut servers that have been compromised.
These flaws can be exploited without user interaction and are relatively easy to carry out, granting the attacker SYSTEM privileges. Recently, in the Shodan search engine, it has been observed that around 1700 PaperCut servers were exposed to the internet.
PoC Exploit Code
PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9, and later releases, have addressed both vulnerabilities.
That’s why security experts strongly advise users to upgrade to any of these patched versions to mitigate the risks associated with these flaws.
Horizon3 has recently released technical information, and a proof-of-concept (PoC) exploit for CVE-2023-27350.
Attackers can leverage this exploit to bypass authentication and execute arbitrary code on PaperCut servers that have not been patched.
By misusing the ‘Scripting’ feature for printers, the RCE exploit enables cybercriminals to achieve remote code execution.
Although Huntress has developed a PoC exploit to illustrate the danger associated with the ongoing attacks, they have not made it publicly available.
Currently, unpatched PaperCut servers are under attack, and the exploit code developed by Horizon3 is expected to be adopted by other threat actors for launching similar attacks in the future.
The CVE-2023-27350 vulnerability has been included in the list of actively exploited vulnerabilities by CISA.
Not only that, but even CISA has directed all federal agencies to secure their systems within the next three weeks, by May 12, 2023, to prevent further exploitation.
To prevent remote exploitation of the PaperCut servers, Huntress urged administrators to immediately implement the necessary security measures that cannot currently patch their PaperCut servers.
During the analysis, experts at Horizon3 identified a JAR that contains the SetupCompleted class in:-
- C:\Program Files\PaperCut NG\server\lib\pcng-server-web-19.2.7.jar
In the SetupCompleted flow, the session of the anonymous user is unintentionally authenticated due to an error in the code.
While this function is triggered only after a user’s password is validated via a login process. In web applications, this type of vulnerability is dubbed:-
- Session Puzzling
Huntress revealed that among the Windows machines with PaperCut installed in the customer environments they safeguard, approximately 1,000 were identified.
As per their observation, nearly 900 of those machines were still unpatched, and only one had been patched among the three macOS machines they monitored.
Organizations using PaperCut must ensure they have installed either PaperCut MF or NG versions 20.1.7, 21.2.11, or 22.0.9 to prevent exploitation.
Building Your Malware Defense Strategy – Download Free E-Book
Related Read:
