PoC exploit for abused PaperCut flaw is now public (CVE-2023-27350)

An unauthenticated RCE flaw (CVE-2023-27350) in widely-used PaperCut MF and NG print management software is being exploited by attackers to take over vulnerable application servers, and now there’s a public PoC exploit.

About the vulnerability

According to PaperCut, the attacks seem to have started on April 14, 2023 – a month and a week after the software maker released new PaperCut MF and NG versions that fixed CVE-2023-27350 and CVE-2023–27351, an unauthenticated information disclosure flaw that could allow attackers to access sensitive user information (usernames, email addresses, office/department information, and card numbers) without authentication.

On that same day, Trend Micro’s Zero Day Initiative (ZDI) – the vulnerability bug bounty program through which the two flaws were reported – published advisories for CVE-2023-27350 and CVE-2023-27351.

Both PaperCut and ZDI refrained from publishing in-depth technical details about the vulnerabilities. They just noted that:

• CVE-2023-27350 exists within the SetupCompleted class, stems from improper access control, and can result in an authentication bypass and remote code execution on vulnerable installations
• CVE-2023-27351 exists within the SecurityRequestFilter class, stems from an improper implementation of the authentication algorithm, and can result in an authentication bypass and disclosure of sensitive information

PaperCut says CVE-2023-27350 is being exploited but that they currently have no evidence that CVE-2023-27351 is.

CVE-2023-27350 affects PaperCut MF or NG version 8.0 or later (on all OS platforms); CVE-2023–27351 affects PaperCut MF or NG version 15.0 or later (on all OS platforms).

Users are advised to upgrade all Application Servers and Site Servers to PaperCut MF and NG versions 20.1.7, 21.2.11 or 22.0.9, which include a fix for both vulnerabilities. If updating is impossible, they should lock down network access to the servers by blocking all inbound traffic from external IPs to the web management port (port 9191 and 9192 by default).

“The security response team at PaperCut has been working with external security advisors to compile a list of unpatched PaperCut MF/NG servers that have ports open on the public internet. In addition to our email and in-app announcements to all customers, we’ve been using this list to proactively reach out to potentially exposed customers via multiple means,” the company said.

“If you suspect that your server has been compromised, we recommend taking server backups, then wiping the Application Server, and rebuilding the Application Server and restoring the database from a ‘safe’ backup point prior to when you discovered any suspicious behavior.”

A PoC for CVE-2023-27350 is available

Huntress researchers have shared on Friday that there are some 1,800 publicly exposed PaperCut servers that can be reached via port 9191, and that vulnerable servers are being exploited and have Atera and/or Syncro remote management and maintenance software installed on them, allowing attackers to achieve persistent remote access and code execution capabilities.

Another file that gets downloaded is a variant of the Truebot malware.

“Truebot is linked to an entity known as Silence, which in turn has historical links with the ransomware-related entity TA505 (or Clop). In the previous Truebot investigation, TA505 later claimed responsibility for using exploitation of GoAnywhere software as a precursor to ransomware,” the researchers noted.

“While the ultimate goal of the current activity leveraging PaperCut’s software is unknown, these links (albeit somewhat circumstantial) to a known ransomware entity are concerning. Potentially, the access gained through PaperCut exploitation could be used as a foothold leading to follow-on movement within the victim network, and ultimately ransomware deployment.”

They have shared indicators of compromise admins can use to determine if attackers have breached their servers and installed malware on them, as well as risk mitigation advice.

On Monday, Horizon3.ai published a post detailling their analysis of the advisory and patch, as well as how they built a proof-of-concept exploit (PoC) for CVE-2023-27350. We can expect other attackers to make use of the published information and PoC to mount successful attacks.