CVE-2023-39143: Critical Remote Code Execution Vulnerability in PaperCut Print Management Server

On August 4, 2023, security researchers published a blog detailing a critical remote code (RCE) vulnerability in PaperCut NG/MF print management servers (CVE-2023-39143: CVSS 8.4). CVE-2023-39143 could allow unauthenticated threat actors to read, delete, and upload arbitrary files on compromised systems, which results in RCE. Additionally, this vulnerability does not require user interaction.

PaperCut released a patch to fix this vulnerability on July 25, 2023, after the security researchers responsibly disclosed the vulnerability to PaperCut on May 30, 2023.

Arctic Wolf has not observed a public Proof of Concept (PoC) published or any active exploitation. However, we assess that threat actors are likely to develop exploits for this vulnerability due to the prevalence of PaperCut print management servers and level of access a threat actor can achieve via exploitation.

Note: Only PaperCut servers running on Windows are affected. 

CVE-2023-39143 Recommendation: Upgrade PaperCut Application Servers to a Fixed Version

We strongly recommend upgrading PaperCut NG and PaperCut MF to 22.1.3 or later.

The following command can be used to check if a server is vulnerable to CVE-2023-39143 and is running Windows, with a 200-response indicating the server needs patching:

curl -w “%{http_code}” -k –path-as-is

“https://:/custom-report-example/..\..\..\deployment\sharp\icons\home-app.png”

Workaround (Optional)

If upgrading to the patched PaperCut MF/NG versions is not possible, this vulnerability can be mitigated by configuring an allowlist of device IP addresses permitted to communicate with the PaperCut Server. Further instructions can be found in the “IP Address Allow-listing” section of PaperCut’s NG/MF server hardening guidance.

References

• PaperCut Security Bulletin
• Security Research Blog
• Securing PaperCut NG/MF server