Monday, June 24, 2024

PoC Exploit Code Released for Critical Papercut Flaw

Threat actors are actively taking advantage of critical vulnerabilities present in the PaperCut MF/NG print management software. 

This exploitation aims to plant Atera remote management software onto the targeted servers to gain control over them. From more than 70,000 companies globally, it has over 100 million active users. 

The vulnerabilities affecting the PaperCut MF/NG print management software are tracked as follows:-

Remote threat actors can exploit these vulnerabilities to gain unauthorized access and execute arbitrary code on PaperCut servers that have been compromised.

These flaws can be exploited without user interaction and are relatively easy to carry out, granting the attacker SYSTEM privileges. Recently, in the Shodan search engine, it has been observed that around 1700 PaperCut servers were exposed to the internet.

PoC Exploit Code

PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9, and later releases, have addressed both vulnerabilities. 

That’s why security experts strongly advise users to upgrade to any of these patched versions to mitigate the risks associated with these flaws.

Horizon3 has recently released technical information, and a proof-of-concept (PoC) exploit for CVE-2023-27350

Attackers can leverage this exploit to bypass authentication and execute arbitrary code on PaperCut servers that have not been patched.

By misusing the ‘Scripting’ feature for printers, the RCE exploit enables cybercriminals to achieve remote code execution.

Although Huntress has developed a PoC exploit to illustrate the danger associated with the ongoing attacks, they have not made it publicly available.

Currently, unpatched PaperCut servers are under attack, and the exploit code developed by Horizon3 is expected to be adopted by other threat actors for launching similar attacks in the future.

The CVE-2023-27350 vulnerability has been included in the list of actively exploited vulnerabilities by CISA.

Not only that, but even CISA has directed all federal agencies to secure their systems within the next three weeks, by May 12, 2023, to prevent further exploitation.

To prevent remote exploitation of the PaperCut servers, Huntress urged administrators to immediately implement the necessary security measures that cannot currently patch their PaperCut servers. 

During the analysis, experts at Horizon3 identified a JAR that contains the SetupCompleted class in:-

  • C:\Program Files\PaperCut NG\server\lib\pcng-server-web-19.2.7.jar

In the SetupCompleted flow, the session of the anonymous user is unintentionally authenticated due to an error in the code. 

While this function is triggered only after a user’s password is validated via a login process. In web applications, this type of vulnerability is dubbed:-

  • Session Puzzling

Huntress revealed that among the Windows machines with PaperCut installed in the customer environments they safeguard, approximately 1,000 were identified. 

As per their observation, nearly 900 of those machines were still unpatched, and only one had been patched among the three macOS machines they monitored.

Organizations using PaperCut must ensure they have installed either PaperCut MF or NG versions 20.1.7, 21.2.11, or 22.0.9 to prevent exploitation.

Building Your Malware Defense Strategy – Download Free E-Book

Related Read:

Website

Latest articles

Threat Actor Claiming a 0-day in Linux LPE Via GRUB bootloader

A new threat actor has emerged, claiming a zero-day vulnerability in the Linux GRUB...

LockBit Ransomware Group Claims Hack of US Federal Reserve

The notorious LockBit ransomware group has claimed responsibility for hacking the U.S. Federal Reserve,...

Microsoft Power BI Vulnerability Let Attackers Access Organizations Sensitive Data

A vulnerability in Microsoft Power BI allows unauthorized users to access sensitive data underlying...

Consulting Companies to Pay $11 Million Failing Cybersecurity Requirements

Two consulting companies, Guidehouse Inc. and Nan McKay and Associates, have agreed to pay...

New RAT Malware SneakyChef & SugarGhost Attack Windows Systems

Talos Intelligence has uncovered a sophisticated cyber campaign attributed to the threat actor SneakyChef....

Chinese Winnti Group Intensifies Financially Motivated Attacks

Hackers are increasingly executing financially motivated attacks and all due to the lucrative potential...

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from Promokit.eu for...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles