CVE-2023-27350:
Authentication Bypass Vulnerability in PaperCut NG/MF Leading to Remote Code Execution
Score
A numerical rating that indicates how dangerous this vulnerability is.
9.8Critical- Published Date:Apr 20, 2023
- CISA KEV Date:Apr 21, 2023
- Industries Affected:20
1 DaysThreat Predictions
- EPSS Score:94.3
- EPSS Percentile:100%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
Authentication Bypass Vulnerability in PaperCut NG/MF Leading to Remote Code Execution
Overview
This vulnerability in PaperCut NG/MF print management software allows unauthenticated remote attackers to bypass authentication mechanisms and gain administrative access to the application. The flaw specifically exists in the SetupCompleted class where improper access controls fail to adequately protect sensitive functionality. Once authentication is bypassed, attackers can execute arbitrary code with SYSTEM privileges, effectively taking complete control of the affected system. The vulnerability has been widely exploited since its disclosure, with multiple public exploits available. Organizations using PaperCut NG/MF should consider this a critical security issue requiring immediate attention.
Remediation
- To remediate this vulnerability:
- 1. Update PaperCut NG/MF to version 22.0.6 or later immediately
- 2. If immediate patching is not possible:
- Restrict network access to the PaperCut server
- Implement network segmentation to limit access to the PaperCut administration interface
- Monitor systems for suspicious activities, particularly unauthorized access attempts
- Consider temporarily disabling external access to the PaperCut server until patching is possible
- 3. After patching, review system logs for any signs of compromise
- 4. Change administrative credentials as a precaution
- 5. Follow PaperCut's official security guidance at https://www.papercut.com/kb/Main/PO-1216-and-PO-1219
References
- 1. PaperCut Official Advisory: https://www.papercut.com/kb/Main/PO-1216-and-PO-1219
- 2. ZDI Advisory: https://www.zerodayinitiative.com/advisories/ZDI-23-233/
- 3. Sophos Analysis: https://news.sophos.com/en-us/2023/04/27/increased-exploitation-of-papercut-drawing-blood-around-the-internet/
- 4. Exploit Information:
- - http://packetstormsecurity.com/files/171982/PaperCut-MF-NG-Authentication-Bypass-Remote-Code-Execution.html
- - http://packetstormsecurity.com/files/172022/PaperCut-NG-MG-22.0.4-Authentication-Bypass.html
- - http://packetstormsecurity.com/files/172512/PaperCut-NG-MG-22.0.4-Remote-Code-Execution.html
- - http://packetstormsecurity.com/files/172780/PaperCut-PaperCutNG-Authentication-Bypass.html
Armis Early Warning
Armis Early Warning provides proactive threat intelligence and early detection capabilities.Click here to learn more.
- Armis Alert Date:*No Data*
- CISA KEV Date:Apr 21, 2023
- Days Early:1 Days
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
