Security researchers have revealed new details about how attackers are exploiting two flaws in the PaperCut enterprise print management system — used by more than 100 million customers worldwide — to bypass authentication and execute remote code. The flaws once again highlight the risk that enterprise printers and related systems, an often overlooked threat, pose to the overall security of organizations.

Researchers from PaperCut as well as security companies already have warned that attackers are exploiting the vulnerabilities — patched by PaperCut in a March 8 update to its PaperCut MF and NG products — to take over unpatched versions of the software. Moreover, the Cybersecurity and Infrastructure Security Agency (CISA) added the flaws to its catalog of known exploited vulnerabilities on April 21.

The Zero Day Initiative tracks the flaws as ZDI-CAN-18987 and ZDI-CAN-19226; they also are being tracked as CVE-2023-27350 and CVE-2023-27351, respectively, by NIST's National Vulnerability Database. The flaws affect PaperCut MF and NG version 8.0 and later, on all OS platforms, according to PaperCut.

Researchers at Horizon3.ai released proof-of-concept exploit code for CVE-2023-27350 — the more dangerous of the two bugs with a CVSS rating of 9.8 versus its companion flaw's rating of 8.2 — on Monday.

Abusing CVE-2023-27350

The Horizon3.ai team also included a technical analysis of how attackers are abusing "the built-in 'Scripting' functionality for printers" to abuse the RCE exploit. The Device Scripting page of the system enables the administrator to develop hooks to customize printing across the enterprise using JavaScript-based scripts and executed in the context of the PrintCut service, which on Windows runs as NT AUTHORITY\SYSTEM, researchers explained.

Though PaperCut's Web application's use of dynamic form fields based on the last request made developing a script to interact with the site less straightforward, they demonstrate how they were able to do so in a proof-of-concept exploit they released on GitHub.

CVE-2023-27350 exists within the SetupCompleted class and results from improper access control, according to its listing on the Zero Day Initiative website.

"An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM," according to the listing.

Meanwhile, CVE-2023-27351, also an authentication-bypass RCE bug affecting PaperCut NG, exists within the SecurityRequestFilter class as a result of improper implementation of the authentication algorithm, according to its listing on the Zero Day Initiative website.

Uncovering the PaperCut Bugs

Horizon3.ai's detailed analysis follows a warning by PaperCut on April 19 that the flaws found in PaperCut NG were under active attack, urging organizations to update to the latest version of the product.

The company said in an advisory that it received its first report from a customer of suspicious activity on their PaperCut server on April 17, though later analysis revealed that the activity may have started as soon as April 13.

Researchers from Trend Micro originally reported the issues to PaperCut, which has credited Piotr Bazydlo (@chudypb) for discovering CVE-2023-27351 and an anonymous researcher for discovering CVE-2023-27350.

PaperCut also acknowledged a security research team from security management firm Huntress — including Joe Slowik, Caleb Stewart, Stuart Ashenbrenner, John Hammond, Jason Phelps, Sharon Martin, Kris Luzadre, Matt Anderson, and Dave Kleinatland — for aiding the company's investigation of the flaws.

On April 21, the Huntress researchers revealed that attackers were exploiting the vulnerabilities to take over compromised servers using both the legitimate Atera and Syncro remote management and maintenance software tools.

"Based on preliminary analysis, both appear to be legitimate copies of these products and do not possess any built-in or added malicious capability," the Huntress researchers wrote.

While the threats are split into two CVEs, they both "ultimately rely on an authentication bypass that leads to further compromise as an administrative user within the PaperCut Application Server," the researchers wrote.

Once a threat actor uses a flaw or both flaws to bypass authentication, he or she "may then execute arbitrary code on the server running in the context of the NT AUTHORITY\SYSTEM account," the researchers wrote.

Huntress researchers also observed post-exploitation evidence in the form of a Truebot payload installation that suggest exploitation of the PaperCut flaws could be a precursor to future Clop ransomware activity based on previous investigation of similar activity, according to Huntress.

Huntress security researcher Caleb Stewart also recreated a proof-of-concept exploit to demonstrate how CVE-2023-27350 could be exploited, a video of which is included in the post.

Who's at Cyber-Risk

PaperCut MF is print management software to support various devices and manage print configurations for printing across an enterprise network. PaperCut NG is companion software for detailed print-job tracking and reporting aimed at helping organizations cut printing paper waste.

The PaperCut print management system has more than a hundred million users in organizations worldwide to help companies minimize waste and facilitate printing across the enterprise, according to PaperCut. In the United States, state, local, and education (SLED) environments are among the typical organizations using the software.

A Shodan query for http.html:"papercut" http.html:"print" showed approximately 1,700 Internet exposed PaperCut servers, with education customers comprising 450 of those results, according to Horizon3.ai.

In its protected environments, Huntress researchers reported observing 1,014 total Windows hosts with PaperCut installed, with 9087 of those hosts spread across 710 distinct organizations vulnerable to exploit, they said.

Only three total macOS hosts, two of which were vulnerable, had PaperCut installed in the environments they observed, the researchers added, noting that they sent incident reports to all customers affected and recommended updates.

Detection and Mitigation

PaperCut included a list of indicators of compromise for its customers in its advisory and advised them to upgrade, assuring that there "should be no negative impact" from applying the security fixes.

However, if a customer can't upgrade to the latest version — which could be true particularly with an older application version — the company recommended that customers lock down network access to the affected server.

To do this, they can lock all inbound traffic from external IPs to the Web management port (port 9191 and 9192 by default) and block all traffic inbound to the Web management portal on the firewall to the server.

To mitigate CVE-2023-27351, customers also can apply "Allow list" restrictions to the server found under the Options > Advanced > Security > Allowed site server IP addresses by setting it to only allow the IP addresses of verified Site Servers on their networks, according to PaperCut.