PaperCut Critical Vulnerability exposing Path Traversal/File Upload RCE
Take action: It's time to patch your PaperCut server again. If it's exposed on the internet and in default installation on windows OS, it's vulnerable. Don't become one of the victims of corporate inertia and slow response like the hundreds of Citrix and Fortigate servers currently exploited because nobody bothers to patch them. Lock down your server to trusted networks, and patch it.
Learn More
PaperCut has disclosed a critical vulnerability tracked as CVE-2023-39143, in the widely used PaperCut NG/MF print management software. This vulnerability poses cyber security threats to organizations running PaperCut NG/MF on Windows systems. Users with internet-exposed installations must take immediate action to safeguard their networks and data from potential data breaches and remote code execution attacks.
If exploited CVE-2023-39143 enables unauthenticated attackers to gain unauthorized access, potentially reading, deleting, and uploading arbitrary files on the PaperCut MF/NG application server. This attack vector may lead to remote code execution in certain system configurations.
The cyber security threats surrounding CVE-2023-39143 are concerning for PaperCut versions earlier than 22.1.3 on servers operating on Windows systems and accessible over the internet. . Remote code execution through file uploads becomes possible when the external device integration setting is enabled, which is the default for certain PaperCut installations, such as the PaperCut NG Commercial version or PaperCut MF
Based on data collected from real-world environments by security researchers, it is estimated that the majority of PaperCut installations are running on Windows with the external device integration setting enabled.
You can check whether your PaperCut installation is vulnerable by running a simple curl command:
curl -w "%{http_code}" -k --path-as-is "https://<IP>:<port>/custom-report-example/..\..\..\deployment\sharp\icons\home-app.png"
A 200 response indicates that the server has not been patched and is running on Windows, while a 404 response indicates that the server has either been patched or is not running on Windows.
Unlike the previous exploit via CVE-2023-27350, CVE-2023-39143 does not require attackers to have any prior privileges, and no user interaction is necessary. However, compared to CVE-2023-27350, CVE-2023-39143 is more complex to exploit, as it involves multiple issues that need to be chained together to compromise a server. It is not a straightforward "one-shot" remote code execution vulnerability.
Please note that further details are not being released at this time to allow users ample time to perform upgrades.
Promptly upgrading to the latest version, 22.1.3, is the most effective remediation strategy to eliminate the risk of exploitation. If immediate upgrading is not possible, an alternative mitigation is configuring an allowlist of device IP addresses that are permitted to communicate with the PaperCut server. Refer to the "IP Address Allow-listing" section of the PaperCut security best practices guide.
