CVE-2023-39143: Critical Remote Code Execution Vulnerability in PaperCut Print Management Server

Share :

On August 4, 2023, security researchers published a blog detailing a critical remote code (RCE) vulnerability in PaperCut NG/MF print management servers (CVE-2023-39143: CVSS 8.4). CVE-2023-39143 could allow unauthenticated threat actors to read, delete, and upload arbitrary files on compromised systems, which results in RCE. Additionally, this vulnerability does not require user interaction.

PaperCut released a patch to fix this vulnerability on July 25, 2023, after the security researchers responsibly disclosed the vulnerability to PaperCut on May 30, 2023.

Arctic Wolf has not observed a public Proof of Concept (PoC) published or any active exploitation. However, we assess that threat actors are likely to develop exploits for this vulnerability due to the prevalence of PaperCut print management servers and level of access a threat actor can achieve via exploitation.

Note: Only PaperCut servers running on Windows are affected. 

CVE-2023-39143 Recommendation: Upgrade PaperCut Application Servers to a Fixed Version

We strongly recommend upgrading PaperCut NG and PaperCut MF to 22.1.3 or later.

Product Impacted Version Patched Version
PaperCut NG (Windows platforms only) Versions prior to 22.1.3 Version 22.1.3 or later
PaperCut MF (Windows platforms only) Versions prior to 22.1.3 Version 22.1.3 or later
Application servers are impacted. Site servers, secondary servers (Print Providers), and Direct Print Monitors (Print Providers) are not impacted.

 

The following command can be used to check if a server is vulnerable to CVE-2023-39143 and is running Windows, with a 200-response indicating the server needs patching:

curl -w “%{http_code}” -k –path-as-is

https://:/custom-report-example/..\..\..\deployment\sharp\icons\home-app.png

Workaround (Optional)

If upgrading to the patched PaperCut MF/NG versions is not possible, this vulnerability can be mitigated by configuring an allowlist of device IP addresses permitted to communicate with the PaperCut Server. Further instructions can be found in the “IP Address Allow-listing” section of PaperCut’s NG/MF server hardening guidance.

References

Andres Ramos

Andres Ramos

Andres Ramos is a Threat Intelligence Researcher at Arctic Wolf with a strong background in tracking emerging threats and producing actionable intelligence for both technical and non-technical stakeholders. He has a diverse background encompassing various domains of cyber security, holds a degree in Cybersecurity Engineering, and is a CISSP.
Share :
Table of Contents
Categories
Subscribe to our Monthly Newsletter