Papercut Print Management vulnerability update

Papercut is a print management software suite. It is affected by a Critical Remote Code Execution vulnerability that is posing an increased risk of exploitation.

We look at the RCE vulnerability on Papercut software and discuss the remediation efforts to mitigate the risk.

What is Papercut?

Papercut is an application suite that provides printer management functionality. The application bundle allows easy administration of printers.

Papercut NG and MF monitor and control your resources with easy to use administrative and user tools that can be securely accessed from anywhere on the network though a web browser.

Some important functionality aspects of Papercut NG and MF include:

• Print management solutions
• Silent activity monitoring
• Visible activity monitoring and expense tracking by work area, projects and departments
• Quota/allowance enforcement
• Charge per-print system
• Combinations of all of the above to accommodate various user / group profiles
• Detailed logging and reporting
• Notifications for printer errors and low toner
• Job blocking filters and re-direction

Papercut seeks to optimize print services, reduce costs, and simplify user interaction and management for print tasks.

Papercut has over 100 million users across the world. Therefore, the vulnerabilities affecting Papercut assume significance for system administrators.

What is the Papercut vulnerability?

Papercut vulnerability refers to a security threat that exists in Papercut NG and MF editions. The vulnerability was first reported by Trend Micro on 18th April 2023.

Trend Micro reported two vulnerabilities on Papercut NG and MF. These vulnerabilities were reported under the Zero-day initiative (ZDI) and are mentioned below:

CVE-2023-27350

CVE-2023-27350 is being exploited by threat actors as we write this. There have been ‘In the Wild’ attacks on Papercut application servers. The details of this vulnerability are shared below in a concise manner:

1. CVE-2023-27350 is a Remote Code Execution threat.
2. It has a CVSS score of 9.8.
3. CVE-2023-27350 has a CRITICAL severity.
4. The vulnerability is being tracked as a zero-day threat under ZD-23-233.
5. This vulnerability is a subject of ‘In the Wild’ attacks by malicious actors.
6. As part of the vulnerability, the unpatched Papercut application servers can be used to launch RCE attacks. The application executable for Papercut NG and MF is pc-app.exe. Threat actors are using this file to deliver malicious payloads through the network.
7. The issue results from improper access control in the Papercut application suite. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM.

CVE-2023-23751

The details of CVE-2023-27351 are shared below.

1. CVE-2023-23751 is another zero-day threat that affects Papercut NG and MF application servers.
2. The vulnerability is being tracked as a zero-day under ZD-23-232.
3. It has a CVSS score of 8.2.
4. As part of this vulnerability, unauthorized attackers can potentially extract user account information, such as usernames, full names, email addresses, office and department information, and payment card numbers, that is stored within a customer’s PaperCut MF and NG servers.
5. Threat actors could also access and retrieve hashed passwords from internal PaperCut-created user accounts.
6. However, no exploitation attempts or attacks have been found to be targeting CVE-2023-27351.

What versions of Papercut NG and MF are impacted?

Since there are two vulnerabilities that affect Papercut NG and MF, we will look at the versions impacted by each vulnerability below.

CVE-2023-27350

The RCE vulnerability on Papercut NG and MF affects Papercut NG and MF versions 8 and later. The specific versions that are impacted include:

• Version 8.0.0 to 19.2.7 (inclusive)
• Version 20.0.0 to 20.1.6 (inclusive)
• Version 21.0.0 to 21.2.10 (inclusive)
• Version 22.0.0 to 22.0.8 (inclusive)

The impacted servers include Papercut NG and MF application servers and site servers.

The following versions of Papercut NG and MF are not impacted by CVE-2023-27350:

• Version 20.1.7
• Version 21.2.11
• Version 22.0.9
• Version 22.0.10
• Version 22.0.11

These could also be called the Papercut NG and MF versions in which the vulnerability is fixed.

CVE-2023-27351

This user disclosure or information disclosure vulnerability affects the following versions of Papercut NG and MF:

• Version 15.0.0 to 19.2.7 (inclusive)
• Version 20.0.0 to 20.1.6 (inclusive)
• Version 21.0.0 to 21.2.10 (inclusive)
• Version 22.0.0 to 22.0.8 (inclusive)

CVE-2023-27351 does not impact or is fixed in the following versions of Papercut NG and MF:

• Version 20.1.7
• Version 21.2.11
• Version 22.0.9
• Version 22.0.10
• Version 22.0.11

CVE-2023-27351 affects Papercut application servers.

Papercut vulnerability remediation

CVE-2023-27350 and CVE-2023-27351 can be remediated by upgrading Papercut NG and MF to one of the fixed versions. The remediation version details for each vulnerability are given hereunder.

CVE-2023-27350

The RCE threat CVE-2023-27350 can be remediated by upgrading the Papercut application and site servers to one of the fixed versions:

• Upgrade Papercut NG and MF application and site servers to version 20.1.7, 21.2.11, or 22.0.9 or later versions.

CVE-2023-27351

This vulnerability affects application servers only. So, Papercut NG and MF application servers need to be patched to the following versions:

• Upgrade Papercut NG and MF application and site servers to version 20.1.7, 21.2.11, or 22.0.9 or later versions.

You can find the upgrade instructions for Papercut application servers on this page.

Which threat actors are exploiting the Papercut vulnerabilities?

The earliest exploitation attempt was found to have been initiated by Lockbit. There have been reports of the following threat actors using the CVE-2023-27350 to attack Papercut servers:

• Lockbit
• Clop ransomware group
• Iranian State actor Mint Sandstorm (Phosphorus)
• Iranian State actor Mango Sandstorm (Mercury)

Lockbit and Clop ransomware operators were found to be exploiting CVE-2023-27350 as early as April 2023. The Iranian State actors have joined the list of attackers trying to attack the Papercut servers.