Thursday, October 3, 2024
HomeCyber Security NewsNew PaperCut NG/MF Flaw Let Attackers Execute Code on Unpatched Windows Servers

New PaperCut NG/MF Flaw Let Attackers Execute Code on Unpatched Windows Servers

Published on

A Critical vulnerability was discovered in the widely used PaperCut MG/ NF print management software running on Windows prior to version 22.1.3.

As of the July 2023 security bulletin, patches have been released by PaperCut to fix this vulnerability. PaperCut is a widely used print management software that has two different software as, MG and NF.

PaperCut is a printing management and control tool, while NF is a versatile solution that offers printing, copying, scanning, and specialty printing capabilities.

- Advertisement - EHA

CVE-2023-39143: Chained Path Traversal in Authenticated API

On certain configurations, this vulnerability enables an unauthenticated attacker to potentially read, write and upload arbitrary files resulting in remote code execution.

The CVSS Score for this vulnerability is yet to be confirmed.

Configuration Required Exploitation

As reported, servers running on Windows platforms that have the external device integration setting enabled are vulnerable to this remote code execution through file upload.

This setting is enabled by default on certain PaperCut installations such as PaperCut NG Commercial version or PaperCut MF.

Detection

This vulnerability can be detected using the following command, which checks if the server is patched and whether it is running on Windows.

curl -w “%{http_code}” -k –path-as-is “https://<IP>:<port>/custom-report-example/..\..\..\deployment\sharp\icons\home-app.png”

A 200 response to this command indicates that the server is not patched and vulnerable, and a 404 response states that the server is patched and not vulnerable.

Users of these products are recommended to upgrade to the latest version of PaperCut NG/MF, version 22.1.3. As a workaround, users can also configure an allowlist of IP addresses that are permitted to connect with the PaperCut server.

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Cisco Nexus Vulnerability Let Hackers Execute Arbitrary Commands on Vulnerable Systems

A critical vulnerability has been discovered in Cisco's Nexus Dashboard Fabric Controller (NDFC), potentially...

Hackers Now Exploit Ivanti Endpoint Manager Vulnerability to Launch Cyber Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the addition of a new...

Tor Browser 13.5.6 Released – What’s New!

The Tor Project has announced the release of Tor Browser 13.5.6, which is now...

Mario Duarte, Former Snowflake Cybersecurity Leader, Joins Aembit as CISO to Tackle Non-Human Identities

Aembit, the non-human IAM company, today announced the appointment of Mario Duarte as chief...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Cisco Nexus Vulnerability Let Hackers Execute Arbitrary Commands on Vulnerable Systems

A critical vulnerability has been discovered in Cisco's Nexus Dashboard Fabric Controller (NDFC), potentially...

Hackers Now Exploit Ivanti Endpoint Manager Vulnerability to Launch Cyber Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the addition of a new...

Tor Browser 13.5.6 Released – What’s New!

The Tor Project has announced the release of Tor Browser 13.5.6, which is now...