Hackers are exploiting critical vulnerabilities in PaperCut MF and PaperCut NG
Recently, two critical security vulnerabilities have been discovered in PaperCut MF and PaperCut NG software, which are currently being exploited in the wild. These vulnerabilities have been reported by Trend Micro, a leading cybersecurity company, and impact PaperCut MF/NG versions 8.0 and later on all operating systems.
Vulnerability 1: ZDI-CAN-18987 / PO-1216
This vulnerability allows an unauthenticated attacker to remotely execute code on a PaperCut Application Server or Site Server without the need to log in. It has been assigned a CVSS (Common Vulnerability Scoring System) score of 9.8, indicating a high level of severity.
Affected Components:
- PaperCut MF/NG Application Servers and Site Servers.
Unaffected Components:
- PaperCut MF/NG secondary servers (Print Providers)
- PaperCut MF/NG Direct Print Monitors (Print Providers)
- PaperCut Hive, PaperCut Pocket, Print Deploy, Mobility Print, and PaperCut User Client software.
Recommended Action: Upgrade all Application Servers and Site Servers to PaperCut MF/NG versions 20.1.7, 21.2.11, or 22.0.9 and later to address this vulnerability.
Vulnerability 2: ZDI-CAN-19226 / PO-1219
This vulnerability allows an unauthenticated attacker to potentially access sensitive user information stored within PaperCut MF or NG, such as usernames, full names, email addresses, office/department info, and card numbers. Additionally, the attacker may retrieve hashed passwords for internally created PaperCut users. However, password hashes for users synced from directory sources like Microsoft 365, Google Workspace, and Active Directory remain unaffected. This vulnerability has not been observed being exploited, but it is still essential to address it.
This vulnerability has been assigned a CVSS score of 8.2, indicating a high level of severity.
Affected Components:
- PaperCut MF/NG Application Servers.
Unaffected Components:
- PaperCut MF/NG secondary servers (Print Providers)
- PaperCut MF/NG Direct Print Monitors (Print Providers)
- PaperCut MF/NG Site Servers, PaperCut Hive, PaperCut Pocket, Print Deploy, Mobility Print, and PaperCut User Client software.
Recommended Action: Upgrade all Application Servers to PaperCut MF/NG versions 20.1.7, 21.2.11, or 22.0.9 and later to address this vulnerability. Although Site Servers are not impacted, they should be upgraded to match the Application Server version.
Detecting Exploitation
There is currently no foolproof way to determine if your server has been exploited. We recommend reviewing server access logs, virus, and malware scanner results, and checking for suspicious activity within the PaperCut admin interface. If you suspect that your server has been compromised, we recommend taking server backups, wiping the Application Server, and rebuilding from a ‘safe’ backup point.
Advice
The security of your print management infrastructure is crucial to protect sensitive data and ensure the smooth operation of your organization’s printing processes. To address these critical vulnerabilities, we strongly recommend upgrading to the latest versions of PaperCut MF and PaperCut NG software. Stay vigilant and proactive in maintaining the security of your systems, and stay tuned for updates from PaperCut and Trend Micro as more information becomes available. Trend Micro has also advised they will disclose further information (TBD) about the vulnerability on 10th May 2023.