Information from: APRIL 19 UPDATE | PaperCut MF/NG vulnerability bulletin (March 2023) | PaperCut
We have received two vulnerability reports from a 3rd party cyber security company (Trend Micro), for high/critical severity security issues in PaperCut MF/NG. We have evidence to suggest that unpatched servers are being exploited in the wild.
As a precaution, we are not able to reveal too much about these vulnerabilities. We have documented what we can disclose below.
Critical: Please note that as of 18th April, 2023 we have evidence to suggest that unpatched servers are being exploited in the wild, (particularly ZDI-CAN-18987 / PO-1216).
Our immediate advice is to upgrade your PaperCut Application Servers to one of the fixed versions listed below if you haven’t already.
If you suspect that your server has been compromised, we recommend taking server backups, then wiping the Application Server, and rebuilding from a ‘safe’ backup point prior to when you discovered any suspicious behavior. We have also updated the FAQ “How do I know if my server has been exploited?” question below.
Important: Both of these vulnerabilities have been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later. We highly recommend upgrading to one of these versions containing the fix (see the Where can I get the upgrade? question below).
ZDI-CAN-18987 / PO-1216
We have confirmed that under certain circumstances this allows for an unauthenticated attacker to get Remote Code Execution (RCE) on a PaperCut Application Server. This could be done remotely and without the need to log in.
This vulnerability has been rated with a CVSS score of 9.8.
ZDI-CAN-19226 / PO-1219
We have confirmed that under certain circumstances this allows for an unauthenticated attacker to potentially pull information about a user stored within PaperCut MF or NG - including usernames, full names, email addresses, office/department info and any card numbers associated with the user. The attacker can also retrieve the hashed passwords for internal PaperCut-created users only (note that this does not include any password hashes for users sync’d from directory sources such as Microsoft 365 / Google Workspace / Active Directory and others). This could be done remotely and without the need to log in. We do not have any evidence of this vulnerability being used against customers at this point.
This vulnerability has been rated with a CVSS score of 8.2.
Product status and next steps
Which PaperCut products are impacted, and what are the actions required?
| ZDI-CAN-18987 / PO-1216 | ZDI-CAN-19226 / PO-1219 | |
| What versions are impacted? | PaperCut MF or NG version 8.0 or later, on all OS platforms | PaperCut MF or NG version 15.0 or later, on all OS platforms |
| Which PaperCut MF or NG components are impacted? | Application Servers are impacted Site Servers are impacted |
Application Servers are impacted |
| Which PaperCut components or products are NOT impacted? |
PaperCut MF/NG secondary servers (Print Providers). PaperCut MF/NG Direct Print Monitors (Print Providers). PaperCut Hive. PaperCut Pocket. Print Deploy. Mobility Print. PaperCut User Client software. |
PaperCut MF/NG secondary servers (Print Providers). PaperCut MF/NG Direct Print Monitors (Print Providers). PaperCut MF/NG site servers. PaperCut Hive. PaperCut Pocket. Print Deploy. Mobility Print. PaperCut User Client software. |
| Next steps | We recommend that you upgrade all Application Servers and Site Servers (see Upgrade documentation) You will not need to patch Secondary Servers (Print Providers / Direct Print Monitors) - but you can if you prefer. |
We recommend that you upgrade all Application Servers and Site Servers (see Upgrade documentation). Even though the Site Server is not impacted by this vulnerability, you will need to upgrade them to match the version number of the Application Server. You will not need to patch Secondary Servers (Print Providers / Direct Print Monitors) - but you can if you prefer. |
FAQs
QWhere can I get the upgrade?
Please follow your usual upgrade procedure. Additional links on the ‘Check for updates’ page (accessed through the Admin interface > About > Version info > Check for updates) will allow customers to download fixes for previous major versions which are still supported (e.g. 20.1.7 and 21.2.11) as well as the current version available.
If you are using PaperCut MF, we highly recommend following your regular upgrade process. Your PaperCut partner or reseller information can also be found on the ‘About’ tab in the PaperCut admin interface.
QIs there any impact from applying the upgrade?
There should be no negative impact from applying these security fixes. No other manual steps need to be taken.
QWhere are the release notes for these fixes?
You can see the release notes pages for PaperCut MF and NG which list all fixes included per version:
Q: What are the CVSS scores for these vulnerabilities?
Vulnerability: ZDI-CAN-18987 / PO-1216
- Score: 9.8 (Critical)
- Breakdown: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability: ZDI-CAN-19226 / PO-1219
- Score: 8.2 (High)
- Breakdown: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Q: Is there more information available about these vulnerabilities?
Not at this time - to give customers a chance to upgrade, we are not releasing further details about these vulnerabilities.
Trend Micro have also advised they will disclose further information (TBD) about the vulnerability on 10th May 2023. For more information, see https://www.zerodayinitiative.com/advisories/upcoming/ (filter on “PaperCut”).
Q: Is there a mitigation for these vulnerabilities if I don’t want to upgrade?
ZDI-CAN-18987 / PO-1216:
- No practical pre-patch mitigation strategy has been identified. Customers will need to patch to address the issue.
ZDI-CAN-19226 / PO-1219:
- Apply “Allow list” restrictions under Options > Advanced > Security > Allowed site server IP addresses. Set this to only allow the IP addresses of verified Site Servers on your network.
Q: How do I know if my server has been exploited?
There is not currently a 100% solid way to tell if your server(s) have been exploited.
We recommend a review of server access logs and virus and malware scanner results. From a PaperCut point of view we also recommend:
- Look for suspicious activity in Logs > Application Log, within the PaperCut admin interface.
- Keep an eye out in particular for any updates from a user called
[setup wizard]. - Look for new (suspicious) users being created, or other configuration keys being tampered with.
- If your Application Server server logs happen to be in debug mode, check to see if there are lines mentioning
SetupCompletedat a time not correlating with the server installation or upgrade. Server logs can be found e.g. in[app-path]/server/logs/*.*whereserver.logis normally the most recent log file.
However, these are only examples of suspicious activity - if an attacker does gain access through an unpatched vulnerability, they may also work to cover their steps.
If you suspect that your server has been compromised, we recommend taking server backups, then wiping the Application Server, and rebuilding from a ‘safe’ backup point prior to when you discovered any suspicious behavior.
Q: Is there a maintenance release for versions 19 or older?
No - versions 19 and older are now “end of life”, as documented on our End of Life Policy page.
We recommend purchasing an updated license, which you can do online if you’re using PaperCut NG, or through your PaperCut Partner if you’re using PaperCut MF. You can find your PaperCut Partner contact information through the ‘About’ or ‘Help’ tab in the PaperCut administration interface.
Q: I have a version 20 license, but no current M&S (maintenance and support) - can I still get this fix?
Yes! As long as you are running a version which is currently supported (version 20 or later) you can upgrade to whichever maintenance release version you’re licensed for. For example if you are licensed for version 20 but you don’t have a valid license for version 21, you can update to version 20.1.7 as above. See the ‘Where can I get the upgrade?’ question above for more details.
See our Upgrade Policy page for more information on licensing and upgrades.
Acknowledgements
PaperCut would like to thank the researchers working with Trend Micro for reporting these issues and working with us to help protect our customers:
- ZDI-CAN-19226 - Discovered by: Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative
- ZDI-CAN-18987 - Discovered by: Anonymous
Trend Micro have also advised they will disclose further information (TBD) about the vulnerability on 10th May 2023. For more information, see https://www.zerodayinitiative.com/advisories/published/ (filter on “PaperCut”).