PaperCut Vulnerability - CVE-2023-27350, CVE-2023-27351

PaperCut MF & PaperCut NG Vulnerabilities

CVE: CVE-2023-27350, CVE-2023-27351

WHAT IS VULNERABLE?

• PaperCut MF or NG version 8.0 or later, on all OS platforms (CVE-2023-27350) (Remote Code Execution)
• PaperCut MF or NG version 15.0 or later, on all OS platforms (CVE-2023-27351) (Unauthenticated Information Disclosure)

WHAT IS HAPPENING?

• Papercut have updated this security advisory (https://www.papercut.com/kb/Main/PO-1216-and-PO-1219) regarding two vulnerabilities in their Papercut MF and Papercut NG software.
• They now advise that they have evidence to suggest that unpatched servers are being exploited in the wild.

KEY FACTS

• Papercut has been made aware of two vulnerabilities in their Papercut MF and Papercut NG software.
• CVE-2023-27350 is an Unauthenticated Remote Code Execution with SYSTEM level permission on the hosting server.
• CVE-2023-27351 is an Unauthenticated Request Bypass that can allow the exfiltration all the information stored within the PaperCut NG or MF application. This includes Names, Emails, Departments and Access Card Numbers. This can include hashed passwords for locally created users, but not passwords for accounts synchronised to a directory service.

WHAT YOU CAN DO

• It is advised that you immediately update to one of the following supported versions of PaperCut MF or NG: 20.1.7, 21.2.11 and 22.0.9 or later.
• These updates and more information are available here (https://www.papercut.com/products/mf/release-history/) and here (https://www.papercut.com/products/ng/release-history/)
• Please note that Papercut NF and MF 19 and earlier are no longer supported.

ASSESSING FOR POSSIBLE IMPACT

• Look for suspicious activity in Logs > Application Log, within the PaperCut admin interface.
• Keep an eye out in particular for any updates from a user called [setup wizard].
• Look for new (suspicious) users being created, or other configuration keys being tampered with.
• If your Application Server server logs happen to be in debug mode, check to see if there are lines mentioning Setup Completed at a time not correlating with the server installation or upgrade. Server logs can be found e.g. in [app-path]/server/logs/*.* where server.log is normally the most recent log file.

Cythera is committed to protecting our customers from cyber threats and ensuring their business continuity. If you have any questions or concerns about CVE-2023-27350 or any other cybersecurity issue, please contact us today.