News

19/04/2023

Critical and High Vulnerabilities in PaperCut – Actively Exploited

Summary:

As identified by Jisc, one of our trusted support partners a pair of vulnerabilities have been identified in PaperCut MF/NG print solutions. ZDI-CAN-18987 allows an attacker to bypass authentication on a vulnerable PaperCut Application Server. This may be exploited remotely.

ZDI-CAN-19226 may allow an unauthenticated attacker, under certain circumstances, to pull information about a user stored within PaperCut MF or NG. This information includes usernames, full names, email addresses, office/department information and any card numbers associated with a user. The attacker can also retrieve the hashed passwords for internal PaperCut created users only. Note: This does not include password hashes for users sync’d from directory sources such as M365, Google Workspace, Active Directory etc. This vulnerability can be exploited remotely and without the need to log in. 

Vulnerable Versions:

ZDI-CAN-18987 / PO-1216 (CVSS 9.8):
PaperCut MF or NG version 8.0 or later, on all OS platforms

Application Servers are impacted.

Site Servers are impacted.

ZDI-CAN-19226 / PO-1219 (CVSS 8.2):
PaperCut MF or NG version 15.0 or later, on all OS platforms

Application Servers are impacted.

Recommendation(s):

Upgrade Papercut Application Servers to the latest fixed versions.
Both of these vulnerabilities have been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later

If you believe your server has been compromised, it is recommended to isolate and wipe the application server and rebuild from a backup point prior to the identified compromise behaviour.

Jisc CSIRT is now aware of multiple attempts to exploit these vulnerabilities with one being a successful exploitation leading to compromise. Do not hesitate to contact Jisc CSIRT if your environment is at risk and you would benefit from incident response support.

References:

Questions:

If you have any questions or concerns about this advisory, please contact us via our support desk – support@empsn.org.uk

Related Posts

17/01/2024
Ivanti vulnerabilities (CVE-2023-46805, CVE-2024-21887) in widespread exploitation – Action Recommended

Summary: January 10, 2024, Ivanti published an advisory regarding two vulnerabilities (CVE-2023-46805 and CVE-2024-21887) that impact all supported versions of the Connect Secure (formerly known as Pulse Connect Secure) and Policy Secure gateways. CVE-2023-46805 is… More »

News
18/12/2023
Critical Apache Struts 2 vulnerability (CVE-2023-50164) in active exploitation – Action Recommended

Summary: Apache disclosed a critical vulnerability (CVE-2023-50164) in the Apache Struts 2 open-source framework. Successful exploitation can allow an attacker to manipulate file upload parameters to enable path traversal and upload a malicious file. The… More »

News
13/12/2023
2023 Christmas Checklist

To prepare for your Christmas break, please take a minute to read the below checklist, to help make sure there are no unwanted interruptions over the festive period, or in fact any uninvited surprises waiting… More »

News

Keeping Up To Date With Us Is Easy, Sign Up To Our Newsletter Today!

Stay in touch with emPSN, so that you get the latest e-safety advice and invites to our community events.

Our partners