CVE-2023-27350: Exploitation of Critical RCE Vulnerability in PaperCut Print Management Server

Share :

On April 19, 2023, PaperCut confirmed print management servers vulnerable to a critical remote code execution vulnerability (CVE-2023-27350: CVSS 9.8) are being actively exploited by threat actors. CVE-2023-27350 could allow unauthenticated threat actors to bypass authentication and execute arbitrary code in the context of SYSTEM on a PaperCut Application Server.  

Zero Day Initiative responsibly disclosed the vulnerability to PaperCut on January 10, 2023; PaperCut released a patch on March 8, 2023. Additional details surrounding this vulnerability will be released by Trend Micro on May 10, 2023. 

Over the past week, Arctic Wolf has observed intrusion activity associated with a vulnerable PaperCut Server where the RMM tool Synchro MSP was loaded onto a victim system. We assess with moderate confidence that this intrusion activity is related to the exploitation of CVE-2023-27350. 

Arctic Wolf has deployed monitoring around indicators of compromise associated with this PaperCut intrusion activity. We strongly recommend that organizations running the affected products upgrade as soon as possible. 

Recommendations For CVE-2023-27350

Recommendation #1: Upgrade PaperCut Application Servers to a Fixed Version 

We strongly recommend upgrading PaperCut MF and PaperCut NG to 20.1.7, 21.2.11, 22.0.9 or later to prevent potential exploitation. According to PaperCut, there is no practical workaround to address this vulnerability.  

Product  Impacted Version  Patched Version 
PaperCut MF  Version 8.0 or later, on all OS platforms  Versions 20.1.7, 21.2.11 and 22.0.9 and later. 
PaperCut NG  Version 8.0 or later, on all OS platforms  Versions 20.1.7, 21.2.11 and 22.0.9 and later. 
Application and Site servers are impacted; secondary servers (Print Providers) and Direct Print Monitors are not impacted. No workaround is available for this vulnerability. 

Note: Arctic Wolf recommends the following change management best practices for applying upgrades, including testing changes in a testing environment before deploying to production to avoid any operational impact. 

Indicators of Compromise (IOCs) 

Indicator  Type  Context 
hxxp://upd488.windowservicecemter[.]com/download/AppPrint.msi  URL  URL delivering MSI file that installs Syncro MSP RMM tool 
00ec44df6487faf9949cebee179bafe8377ca4417736766932508f94da0f35fe  SHA256 Hash  AppPrint.msi file that installs Syncro MSP RMM tool 
upd488.windowservicecemter[.]com  Domain  Domain delivering MSI file that loads RMM tool. 
hxxp://upd488.windowservicecemter[.]com/download/setup.msi 

 

Domain  URL delivering MSI file that installs AteraAgent 

 

Note: We have not observed this in our specific intrusion. 

hxxp://upd488.windowservicecemter[.]com/download/a3.msi  Domain  Download URL linked to malicious domain observed in our intrusion.  
upd343.winserverupdates[.]com  Domain  Cobaltstrike C2, that has a similar domain naming convention and registration pattern to the Domain used to host AppPrint.msi. 

 

Note: We have not observed this in our specific intrusion. 

172.67.156[.]5  IP Address  A record for windowservicecemter[.]com 
104.21.73[.]3  IP Address  A record for windowservicecemter[.]com 

 

References 

Steven Campbell

Steven Campbell

Steven Campbell is a Senior Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of experience in intelligence analysis and security research. He has a strong background in infrastructure analysis and adversary tradecraft.
Share :
Table of Contents
Categories
Subscribe to our Monthly Newsletter