Sedara Security Bulletin: PaperCut Software Vulnerabilities

Summary:

PaperCut is enterprise software used for print and file management. They recently published two vulnerability reports for high-severity security issues in their PaperCut MF/NG products. The most severe vulnerability enables remote code execution (CVE-2023-27350) and is scored 9.8 (critical) on the CVSS.

This vulnerability allows attackers to bypass authentication and execute arbitrary code by abusing the built-in “Scripting” functionality for printers. It can be done remotely and without the need to log in.

Although the vulnerability and patches were released in mid-March, there are now observed cases of attacks on unpatched servers across the Internet. Since PaperCut is a popular product in the educational space, educational institutions have been heavily targeted.

PaperCut also released a user account data vulnerability (CVE-2023-27351), scored 8.2 (high) on the CVSS. This vulnerability allows an unauthenticated attacker to potentially collect information about users in PaperCut, along with hashed passwords for internal PaperCut-created users (and not sync’ed users from other sources). This can be done remotely and without the need to log in. According to PaperCut, as of the writing of this bulletin, there is no evidence of this vulnerability being exploited in the wild.

History:

On February 28, 2023, both vulnerabilities were discovered and assigned CVE IDs. PaperCut issued patches for their software shortly afterward in March.

On April 18, PaperCut received their first report from a customer of suspicious activity related to  unpatched servers. After that date, security researchers observed PaperCut exploitation in the wild.

The week of April 24, attack surface assessment firms Huntress and Horizon3 released detailed technical information and Proof of Concept (PoC) exploits for the vulnerability.

Threat actors have since been observed using the flaw to execute PowerShell commands that install Atera and Syncro remote management software, tied to Clop and LockBit flavors of ransomware. It appears that the access gained through PaperCut exploitation is primarily being used to build a ransomware network.

Indications of Compromise:

• Suspicious activity or security alerts in security products like EDR
• Suspicious PaperCut MF application log entries in [app-path]/server/logs/, like:
  • User “admin” logs into the administration interface
  • User “admin” modified the print script on the printer
  • User “admin” updated a configuration key
  • User “[setup-wizard]” modified a configuration key
• Domains in DNS or web proxy logs:
  • upd488[.]windowservicecemter[.]com/download/ld.txt
  • upd488[.]windowservicecemter[.]com/download/AppPrint.msi
  • upd488[.]windowservicecemter[.]com/download/a2.msi
  • upd488[.]windowservicecemter[.]com/download/a3.msi
  • anydeskupdate[.]com
  • anydeskupdates[.]com
  • netviewremote[.]com
  • updateservicecenter[.]com
  • windowcsupdates[.]com
  • windowservicecentar[.]com
  • windowservicecenter[.]com
  • winserverupdates[.]com
  • study[.]abroad[.]ge
  • ber6vjyb[.]com
  • 5[.]188[.]206[.]14
  • upd488[.]windowservicecemter[.]com/download/update.dll
• New suspicious entries in the SSH authorized keyfile
• New print scripts in the “Scripting” configuration of each printer / device in the PaperCut admin console
• SHA256 hashes of files on the local system:
  • msi f9947c5763542b3119788923977153ff8ca807a2e535e6ab28fc42641983aabb
  • txt c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125

Mitigation Steps recommended by Sedara:

• As soon as possible, upgrade PaperCut Application Servers to versions 20.1.7, 21.2.11 or 22.0.9 or later. Direct downloads are available from https://www.papercut.com/products/upgrade/
• Block all inbound traffic from external (Internet) IP addresses to the PaperCut web management port (default ports 9191 and 9192) to restrict management access to the server.
• If your server has been compromised, we recommend taking a server backup, wiping the application server, and rebuilding the application server. It’s safest to restore the database to a “safe” backup point prior to when you discovered any suspicious behavior.

How can Sedara Help?

Sedara’s vCISOs can provide you ongoing supervision and support to stay updated on the latest security incidents. Our vCISOs are your “cybersecurity sidekick,” helping you improve your overall cybersecurity posture by adopting new security controls and mitigating risk.

Gain visibility across your entire network for real-time analysis and alerting of security events. Sedara’s 24x7x365 SOC can deploy and monitor a Security Information Event Management (SIEM)  so that you can ignore the noise and take immediate action on security incidents.

More reading on this threat:

• Papercut MF/NG vulnerability bulletin – https://www.papercut.com/kb/Main/PO-1216-and-PO-1219
• CVE-2023-27350 – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27350
• CVE-2023-27351 – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27351

Want Help With a Security Incident?

Sedara can help your organization assess and address vulnerabilities and provide insight that prevents future incidents.

Get Future Compromise Alerts – Join Sedara Declassified

Subscribe to Sedara Declassified to get timely updates on new and evolving threats – and what to do about them – just like our clients do. And of course, if we can help you with anything directly, feel free to reach out.