External risk intelligence

PaperCut MF/NG Authentication Bypass and Code Execution Advisory.

CVE advisoryKnown Exploit

CVE-2023-27350

A vulnerability in PaperCut MF/NG software allows unauthorized access and code execution. This impacts organizations by exposing systems to attackers who can bypass authentication, potentially leading to data breaches and further network compromise. The realistic business risk involves unauthorized control of print man

4Halo Surface Signal

Papercut Mf

8.0 to before 20.1.721.0.0 to before 21.2.1122.0.0 to before 22.0.9

External exposure likelihood

Halo Surface Signal score for CVE-2023-27350

PaperCut NG and MF are commonly deployed print management solutions that often include web-based administrative interfaces or user portals accessible over the network. These applications frequently serve as centralized management services within enterprise environments, making them common targets for network-reachable exposure.

Horizon Alert

Summary of the vulnerability and why it matters

The vulnerability impacts PaperCut NG and MF software. A flaw in the setup process allows attackers to bypass authentication. This could enable unauthorized access and the execution of malicious code on affected systems.

Vulnerable PaperCut software
Flaw allows authentication bypass
Potential for code execution

Attack Path

How an attacker could exploit the issue

An attacker can exploit a vulnerability to bypass authentication and execute arbitrary code on affected systems. This bypass is possible due to an improper access control flaw within the SetupCompleted class. Authentication is not a prerequisite for an attacker to leverage this vulnerability. The attacker can gain system-level privileges, enabling them to execute commands without authorization.

External network exposure required.
Unauthenticated attacker gains access.
Trigger bypass and execute code.

Live Threat

Current exploitation, exposure, and threat context

The PaperCut MF and NG software, used for print management, has a critical vulnerability that allows unauthenticated remote attackers to bypass security controls and execute arbitrary code on affected systems. This means attackers do not need any credentials or special access to exploit this flaw. The vulnerability has been actively exploited in the wild, with evidence of its use dating back to April 2023. Threat actors have used this vulnerability to deploy ransomware, conduct data theft, and gain further access to victim networks. Given the ease of exploitation, the critical severity, and confirmed real-world attacks, this vulnerability presents a significant and urgent risk to organizations running affected versions of PaperCut.

Likely attacker skill level: Low
Required access or conditions: None, remote access
Business risk or urgency: Critical, urgent patching required

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The identified vulnerability allows for authentication bypass and arbitrary code execution on affected PaperCut NG and MF installations. This presents a significant risk to organizations, potentially leading to unauthorized system access and control. Addressing this vulnerability is critical to maintaining the security and integrity of systems managing print operations.

Find PaperCut installations.
Isolate exposed systems.
Update software and verify.
Monitor for related activity.

Frequently asked questions

What are PaperCut NG and MF, and what is their purpose in an organization?

PaperCut NG and MF are software solutions designed for organizations to manage and control printing activities. They enable tracking of print usage, enforcement of printing policies, and reduction of paper waste, commonly utilized in business and educational settings.

What type of weakness does CVE-2023-27350 represent, and how is it classified?

CVE-2023-27350 represents an improper access control weakness, classified under CWE-284. This classification indicates that the software fails to correctly restrict access to or modification of resources, potentially allowing unauthorized actions by attackers.

How can an attacker exploit CVE-2023-27350 to bypass authentication and execute code?

An attacker can exploit this vulnerability by leveraging an improper access control flaw within the SetupCompleted class. This flaw permits attackers to bypass authentication, even without prior access, and subsequently execute arbitrary code with system-level privileges.

What is the significance of CVE-2023-27350, and why is it considered a high-priority threat?

CVE-2023-27350 is significant due to its critical severity, allowing unauthenticated remote attackers to bypass security controls and execute arbitrary code. Its potential for exploitation is high, and it has been observed in active campaigns, leading to risks such as ransomware deployment and data theft. This makes it an urgent threat requiring immediate attention.

What steps should an organization take to respond to the CVE-2023-27350 vulnerability?

Organizations should identify all PaperCut installations, isolate any systems exposed to the network, update the software to a patched version as per vendor instructions, and then verify the updates. Continuous monitoring for any suspicious activity related to these systems is also recommended.

References

Cyber Threat Intelligence (CTI)

Sources: malpedia

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.