Pierluigi Paganini
April 24, 2023
Hackers are actively exploiting PaperCut MF/NG print management software flaws (tracked as CVE-2023-27350 and CVE-2023-27351) in attacks in the wild.
The threat actors were observed installing the Atera remote management software to take over vulnerable servers.
On April 19th, Print management software provider PaperCut confirmed that it is aware of the active exploitation of the CVE-2023-27350 vulnerability.
The company received two vulnerability reports from the cybersecurity firm Trend Micro for high/critical severity security issues in PaperCut MF/NG. Trend Micro announced they will disclose further information (TBD) about the vulnerability on 10th May 2023.
The company addressed both vulnerabilities with the release of PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later, it highly recommends upgrading to one of these versions containing the fix
“We have evidence to suggest that unpatched servers are being exploited in the wild.” reads the advisory published by PaperCut. “PaperCut received our first report from a customer of suspicious activity on their PaperCut server on the 18th April at 03:30 AEST / 17th April 17:30 UTC. PaperCut has conducted analysis on all customer reports, and the earliest signature of suspicious activity on a customer server potentially linked to this vulnerability is 14th April 01:29 AEST / 13th April 15:29 UTC.”
The CVE-2023-27350 (CVSS score – 9.8) is a PaperCut MF/NG Improper Access Control Vulnerability. PaperCut MF/NG contains an improper access control vulnerability within the SetupCompleted class that allows authentication bypass and code execution in the context of system.
The cybersecurity firm Horizon3 disclosed details of the flaw along with a PoC exploit code for CVE-2023-27350. The PoC code allows attackers to bypass authentication and execute code on vulnerable PaperCut servers.
“The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM.” reads the post published by Horizon3. “Comparing the vulnerable SetupCompleted class from v19.2.7 to the patched version in v21.2.11 with Meld, we see that if setup has already been completed, visiting this page will now redirect to the “Home” page – eliminating the session puzzling logic flaw.
Confirming the authentication bypass in the GUI, we browse to the page at http://10.0.40.56:9191/app?service=page/SetupComplete and click “Login”.
The experts published the full proof-of-concept exploit on GitHub.
“This POC uses an authentication bypass vulnerability chained with abuse of builtin scripting functionality to execute code.” reads the description on GitHub.
Horizon3 researchers also shared Indicators of Compromise (IoCs) for the attacks exploiting PaperCut issues.
Huntress researchers have observed post-exploitation activities within its partner environments after attackers exploited the above PaperCut MF/NG vulnerabilities.
Huntress security researcher Caleb Stewart also devised a proof-of-concept exploit for these threats, below is the video PoC shared by the company:
“From our recreated proof-of-concept, we observed child processes spawned underneath the pc-app.exe process. The screenshot below showcases a simple test of invoking PowerShell to call out to another location, demonstrating the achieved code execution.” reads the report published by Huntress.”
The researchers noticed that the domain hosting the tools employed in the attack, windowservicecemter[.]com, was registered on April 12, 2023. It is interesting to note that the domain was also hosting malware a variant of the TrueBot malware.
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:
Please nominate Security Affairs as your favorite blog.
Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, PaperCut)
