New PaperCut flaw in print management software exposes servers to RCE attacks

Pierluigi Paganini August 05, 2023

Researchers discovered a vulnerability in PaperCut NG/MF print management software that can lead to remote code execution.

Cybersecurity researchers at Horizon3 discovered a high-severity vulnerability, tracked as CVE-2023-39143 (CVSS score: 8.4), in PaperCut print management software for Windows.

An attacker can exploit the vulnerability to gain remote code execution under specific conditions.

The vulnerability CVE-2023-39143 is a path traversal that can allow attackers to read, delete, and upload arbitrary files. The vulnerability affects PaperCut NG/MF prior to version 22.1.3.

“CVE-2023-39143 enables unauthenticated attackers to potentially read, delete, and upload arbitrary files to the PaperCut MF/NG application server, resulting in remote code execution in certain configurations.” reads the advisory published by Horizon3. “In particular, the vulnerability affects PaperCut servers running on Windows. File upload leading to remote code execution is possible when the external device integration setting is enabled. This setting is on by default with certain installations of PaperCut, such as the PaperCut NG Commercial version or PaperCut MF.”

Horizon3 researchers estimate that most of the PaperCut installations are running on Windows with the external device integration setting turned on.

The issue was addressed with the release of PaperCut NG/MF patch version 22.1.3.

Below is the timeline for this issue:

  • May 30, 2023: Horizon3 sends initial disclosure to the PaperCut team
  • May 31, 2023: PaperCut acknowledges receipt of disclosure
  • June 5, 2023: Horizon3 updates disclosure to include impact of remote code execution
  • June 8, 2023: PaperCut confirms it is able to validate findings in disclosure
  • June/July 2023: Horizon3/PaperCut work together to test interim builds and coordinate disclosure
  • July 24, 2023: Horizon3 reserves CVE-2023-39143 with MITRE
  • July 25, 2023: PaperCut releases patch version 22.1.3
  • Aug. 4, 2023: This advisory

In April another actively exploited issue affecting PaperCut servers, tracked as CVE-2023-27350 (CVSS score: 9.8), made the headlines.

“Compared to CVE-2023-27350, CVE-2023-39143 also does not require attackers to have any prior privileges to exploit, and no user interaction is required.” continues Horizon3. “In contrast to CVE-2023-27350, CVE-2023-39143 is more complex to exploit, involving multiple issues that must be chained together to compromise a server. It is not a “one-shot” RCE vulnerability.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2023-39143)



you might also like

leave a comment