Triskele Labs Blog

Papercut NG and MF CVE-2023-27350

Written by Jason Trapp, DFIR Analyst | Jul 5, 2023 1:00:06 AM

Date: 2/6/2023 | Prepared by: Jason Trapp, DFIR Analyst

Purpose and details

This alert aims to bring attention to a critical vulnerability identified in PaperCut for Windows and Unix systems1

This vulnerability is being tracked with the following Common Vulnerabilities and Exposures (CVE) identifier: CVE-2023-27350.   

The National Institute of Standards and Technology (NIST) has rated CVE-2023-27350 a 9.8/10 on the Common Vulnerability Scoring System (CVSS)

The Cybersecurity Infrastructure Security Agency (CISA) has released an advisory on this vulnerability2

This issue affects organisations utilising PaperCut print management software with the port exposed to the Internet.  

By default, PaperCut is open on port 9191. However, this can be reconfigured to any port desired. For instance, university printing services could be made available through a website.  

Importantly, exploiting this vulnerability does not require any authentication by a Threat Actor. To exploit this, a Threat Actor only requires a script and a publicly facing PaperCut server.  

As several Proof of Concept (PoC) examples are available on the Internet, it is trivial for a Threat Actor to exploit this vulnerability. The impact of exploitation is that a Threat Actor will be able to access the account running the service. 

This will typically be the SYSTEM account on Microsoft systems, and on Linux, this will be the root account. 

In some cases, PaperCut will be configured to be running on a service account without a Service Principal Name (SPN). In the worst case, some systems will run PaperCut as a Domain Administrator account. 

As reported by Malwarebytes3, this vulnerability has been actively exploited in the wild by several ransomware operators such as Cl0p, Bl00dy, and LockBit. 

The vulnerability is a result of improper access control being set up within the SetupCompleted Java class. The vulnerability exists due to Session Puzzling, which occurs when a web application uses the same session variable for multiple purposes. 

This allows a Threat Actor to potentially access pages in an order that is unintended4. As a result, a Threat Actor can log in after going to the page “[victim IP]:[Port]/app?service=page/SetupComplete”.   

Exploitation pre-requisites

This vulnerability affects several versions of PaperCut ranging from 8.0. to 19.2.7, 20.0.0 to 20.1.6, 21.0.0 to 21.2.10, and 22.0.0 to 22.0.8 inclusive.  

As mentioned, this vulnerability affects all applications and print servers utilising PaperCut.   

Mitigation actions

Triskele Labs recommends that PaperCut MF/NG software is updated in line with the version being run. The following location lists the relevant update articles for the affected software:   

Triskele Labs recommends considering the exposure of all Internet-facing services, as new vulnerabilities are always being discovered in software. Exploiting new vulnerabilities in Internet-facing software is one of the most common entry vectors into networks for Threat Actors.   

Additional mitigation actions that can be taken include:   

  • Implement MFA for all users.  
  • If PaperCut is unable to be patched immediately, either:  
  • Block all inbound traffic from external IP addresses to the web management portal.  
  • Block all traffic inbound to the web management portal. (Remote management will not be available after this is performed). 

These mitigation strategies are not substitutes for patching the vulnerability. These should be implemented to complement the patch as Defence in Depth measures or in the case that a patch cannot be immediately applied.  

Detection 

The Triskele Labs DefenceShield Security Operations Centre (SOC) monitors suspicious activity for Managed Detection and Response (MDR) clients.  

DefenceShield Monitor clients with Security Information and Event Management (SIEM) agents deployed to endpoints will detect exploitation of this vulnerability.  

Triskele Labs are performing ongoing scanning for DefenceShield Assess clients to detect vulnerable devices in client networks.   

For any questions, please contact the DefenceShield Security Operations Centre or Triskele Labs support.   

 

1 https://nvd.nist.gov/vuln/detail/CVE-2023-27350 

2 https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a  

3 https://www.malwarebytes.com/blog/news/2023/04/lockbit-and-cl0p-are-actively-exploiting-papercut-vulnerabilities 

4 https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/08-Testing_for_Session_Puzzling