CVE-2023-27350:Authentication Bypass Vulnerability in PaperCut NG/MF Leading to Remote Code Execution

splash
Back

Description Preview

CVE-2023-27350 affects PaperCut NG/MF versions 22.0.5 and earlier, allowing remote attackers to bypass authentication and execute arbitrary code with SYSTEM privileges. The vulnerability exists in the SetupCompleted class due to improper access control, requiring no authentication to exploit. This critical vulnerability has been actively exploited in the wild.

Overview

This vulnerability in PaperCut NG/MF print management software allows unauthenticated remote attackers to bypass authentication mechanisms and gain administrative access to the application. The flaw specifically exists in the SetupCompleted class where improper access controls fail to adequately protect sensitive functionality. Once authentication is bypassed, attackers can execute arbitrary code with SYSTEM privileges, effectively taking complete control of the affected system. The vulnerability has been widely exploited since its disclosure, with multiple public exploits available. Organizations using PaperCut NG/MF should consider this a critical security issue requiring immediate attention.

Remediation

To remediate this vulnerability:

  1. Update PaperCut NG/MF to version 22.0.6 or later immediately
  2. If immediate patching is not possible:
    • Restrict network access to the PaperCut server
    • Implement network segmentation to limit access to the PaperCut administration interface
    • Monitor systems for suspicious activities, particularly unauthorized access attempts
    • Consider temporarily disabling external access to the PaperCut server until patching is possible
  3. After patching, review system logs for any signs of compromise
  4. Change administrative credentials as a precaution
  5. Follow PaperCut's official security guidance at https://www.papercut.com/kb/Main/PO-1216-and-PO-1219

References

  1. PaperCut Official Advisory: https://www.papercut.com/kb/Main/PO-1216-and-PO-1219
  2. ZDI Advisory: https://www.zerodayinitiative.com/advisories/ZDI-23-233/
  3. Sophos Analysis: https://news.sophos.com/en-us/2023/04/27/increased-exploitation-of-papercut-drawing-blood-around-the-internet/
  4. Exploit Information:
    • http://packetstormsecurity.com/files/171982/PaperCut-MF-NG-Authentication-Bypass-Remote-Code-Execution.html
    • http://packetstormsecurity.com/files/172022/PaperCut-NG-MG-22.0.4-Authentication-Bypass.html
    • http://packetstormsecurity.com/files/172512/PaperCut-NG-MG-22.0.4-Remote-Code-Execution.html
    • http://packetstormsecurity.com/files/172780/PaperCut-PaperCutNG-Authentication-Bypass.html

Early Warning

Customers using Armis Early Warning were notified about this vulnerability before it appeared in CISA's Known Exploited Vulnerabilities Catalog, enabling them to assess their exposure and act proactively. Armis offers these examples of CVEs already included in CISA KEV for potential customers. Click here to learn how to receive alerts earlier.

Armis Alert Date
Apr 20, 2023
CISA KEV Date
Apr 21, 2023
1day early

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing: Low
    Manufacturing
  2. Educational Services: Low
    Educational Services
  3. Public Administration: Low
    Public Administration
  4. Health Care & Social Assistance: Low
    Health Care & Social Assistance
  5. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  6. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  7. Finance and Insurance: Low
    Finance and Insurance
  8. Information: Low
    Information
  9. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  10. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  11. Retail Trade: Low
    Retail Trade
  12. Accommodation & Food Services: Low
    Accommodation & Food Services
  13. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  14. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  15. Construction: Low
    Construction
  16. Mining: Low
    Mining
  17. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  18. Transportation & Warehousing: Low
    Transportation & Warehousing
  19. Utilities: Low
    Utilities
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background