On August 4, 2023, security researchers published a blog detailing a critical remote code (RCE) vulnerability in PaperCut NG/MF print management servers (CVE-2023-39143: CVSS 8.4). CVE-2023-39143 could allow unauthenticated threat actors to read, delete, and upload arbitrary files on compromised systems, which results in RCE. Additionally, this vulnerability does not require user interaction.
PaperCut released a patch to fix this vulnerability on July 25, 2023, after the security researchers responsibly disclosed the vulnerability to PaperCut on May 30, 2023.
Arctic Wolf has not observed a public Proof of Concept (PoC) published or any active exploitation. However, we assess that threat actors are likely to develop exploits for this vulnerability due to the prevalence of PaperCut print management servers and level of access a threat actor can achieve via exploitation.
Note: Only PaperCut servers running on Windows are affected.
CVE-2023-39143 Recommendation: Upgrade PaperCut Application Servers to a Fixed Version
We strongly recommend upgrading PaperCut NG and PaperCut MF to 22.1.3 or later.
Product | Impacted Version | Patched Version |
PaperCut NG (Windows platforms only) | Versions prior to 22.1.3 | Version 22.1.3 or later |
PaperCut MF (Windows platforms only) | Versions prior to 22.1.3 | Version 22.1.3 or later |
Application servers are impacted. Site servers, secondary servers (Print Providers), and Direct Print Monitors (Print Providers) are not impacted. |
The following command can be used to check if a server is vulnerable to CVE-2023-39143 and is running Windows, with a 200-response indicating the server needs patching:
curl -w “%{http_code}” -k –path-as-is
“https://:/custom-report-example/..\..\..\deployment\sharp\icons\home-app.png”
Workaround (Optional)
If upgrading to the patched PaperCut MF/NG versions is not possible, this vulnerability can be mitigated by configuring an allowlist of device IP addresses permitted to communicate with the PaperCut Server. Further instructions can be found in the “IP Address Allow-listing” section of PaperCut’s NG/MF server hardening guidance.