PaperCut MF or NG version 15.0 or later operating on all OS platforms. PaperCut MF or NG version 8.0 or later operating on all OS platforms. Image Source: Qualys Threat Research Unit (TRU) Affected Versions CVE-2023-27350 Most indications will be seen in regular activities, but close attention should be paid to any unusual source IP addresses, times, or a rapid succession of these events. Several indicators can be seen by navigating to the native application logs in the Logs -> Application Log tab. Source: Qualys Threat Research Unit (TRU) Indicators of Compromise Prerequisite for the remote code executionĪn authenticated attacker can modify the two settings mentioned below to perform remote code execution: An attacker would have to use sessions and individually request each page to access the user interface and ensure the form fields are correctly populated. The PaperCut web application uses dynamic form fields based on the last request, which makes it difficult to exploit. The functionality allows administrators to develop hooks that help customize printing across the enterprise. To perform remote code execution, an attacker may exploit printers’ built-in “Scripting” functionality. However, the logic in the SetupCompleted flow unintentionally verifies the anonymous user’s session. This kind of web-based application vulnerability is called Session Puzzling. Usually, the software only calls this function after a user’s password has been verified during the login process. The decompiled class calls the performLogin() function for the Admin user on form submission. The vulnerable SetupCompleted class is present in the C:\Program Files\PaperCut NG\server\lib\pcng-server-web-19.2.7.jar that can be decompiled to readable Java codes using the command line. The exploitation of both vulnerabilities depends on the authentication bypass performed on affected installations that lead to further damage, such as arbitrary code execution in the context of the NT AUTHORITY\SYSTEM account. This vulnerability exists in the SecurityRequestFilter class, which arises due to improper implementation of the authentication algorithm. An attacker may also access the hashed passwords for internal PaperCut-created users only. The information disclosure vulnerability enables a remote, unauthenticated attacker to access user data saved in PaperCut MF/NG, including usernames, email addresses, and sensitive information such as the card numbers linked to the user. CVE-2023-27351: PaperCut NG SecurityRequestFilter Authentication Bypass Vulnerability On successful exploitation, the vulnerability may allow an attacker to bypass authentication and further perform remote code execution on the target PaperCut NG administrator server. There is no authentication required to exploit the v ulnerability. The vulnerability exists in the SetupCompleted class that stems from improper access control. Image Source: Shodan Description CVE-2023-27350: PaperCut NG SetupCompleted Improper Access Control Authentication Bypass Vulnerability A print server is a device that hosts print queues and distributes printer resources to desktop clients and workstations.Īs per Shodan, there are more than 1800 internet-exposed PaperCut servers at the time of writing. To provide a business logic unit for computing user costs and giving end users a web browser interface, PaperCut NG/MF uses the Application Server. ![]() PaperCut is a comprehensive Print management software used in many industries worldwide. ĬISA has added the CVE-2023-27350 to its Known Exploitable Vulnerabilities Catalog and requested users to patch it before May 12 th, 2023. There are no ins t ance s of active e xploitat ion of this vulnerability publicly available.īoth vulnerabilities were reported to PaperCut by Trend Micro’s Zero Day Initiative ZDI-CAN-18987 and ZDI-CAN-19226. On successful ex ploitation, an attacker could bypass authentication on the syst em. The vulnerability has been rated high, with a CVSS Base Score of 8.2. ![]() The advisory also addressed an authentication bypass vulnerability (CVE-2023-27351) affecting PaperCut NG. The vendor mentioned in the advisory that evidence suggests unpatched servers are exploited in the wild. Successful exploitation of the vulnerability allows unauthenticated attackers to perform remote code execution to compromise the vulnerable PaperCut application server. CVE-2023-27350 has been rated as critical with a CVSS Base Score of 9.8. PaperCut, a print manager software, has a remote code execution vulnerability that is being actively exploited.
0 Comments
Leave a Reply. |