Horizon3.ai researchers have published some details (but no PoC for now, thankfully!) about CVE-2023-39143, two vulnerabilities in PaperCut application servers that could be exploited by unauthenticated attackers to execute code remotely.
“CVE-2023-39143 is more complex to exploit, involving multiple issues that must be chained together to compromise a server,” they pointed out.
PaperCut NG and MF are widely used print management server software solutions.
CVE-2023-39143 are path traversal vulnerabilities in PaperCut NG and PaperCut MF versions released before v22.1.3, which could be used to read, delete, and upload arbitrary files to a vulnerable application server.
“The vulnerability affects PaperCut servers running on Windows. File upload leading to remote code execution is possible when the external device integration setting is enabled. This setting is on by default with certain installations of PaperCut, such as the PaperCut NG Commercial version or PaperCut MF,” the researchers shared.
Mitigating the risk of exploitation
CVE-2023-39143 has been fixed in late July, with the release of PaperCut NG and PaperCut MF 22.1.3.
That particular release also plugged a potential DoS vulnerability (CVE-2023-3486) flagged by Tenable researchers and an escalation of privileges issue (currently without CVE) found by Trend Micro researchers in a third-party dependency used by PaperCut.
Other security improvements were made as a result of code audits, pen tests and security reviews, the company added, and urged customers to plan an upgrade to this release.
Horizon3.ai researchers have shared commands customers can use to check whether their PaperCut server needs upgrading.
Since direct server IP access is required to exploit CVE-2023-39143, the risk of exploitation can also be mitigated by setting up an allowlist and populating it with device IP addresses that are permitted to communicate with the server. (That’s generally a good idea, even if you regularly update your PaperCut servers.)
“We are not releasing further details at this time to provide users adequate time to upgrade,” Horizon3.ai’s Naveen Sunkavally concluded.