Skip to main content

Multiple Vulnerabilities in PaperCut MF/NG Servers

PaperCut has released a security update to address multiple vulnerabilities in PaperCut MF/NG Servers, three of which are high severity

Threat ID:
CC-4467
Threat Severity:
Medium
Published:
14 March 2024 4:23 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

PaperCut has released a security update to address multiple vulnerabilities in PaperCut MF/NG Servers, three of which are high severity

Affected platforms

The following platforms are known to be affected:

Versions: all prior to 23.0.7

PaperCut MF/NG Application Servers and Site Servers

Threat details

Introduction

PaperCut has released a security update to address multiple vulnerabilities in PaperCut MF/NG Application Servers and Site Servers, including three high severity ones. PaperCut MF/NG is a comprehensive print management system.

The vulnerability designated CVE-2024-1222 with a CVSSv3 score of 8.6 could potentially allow privilege escalation on PaperCut NG/MF servers. This vulnerability uses a maliciously formed API request against a misconfigured API endpoint. This only applies to a small subset of PaperCut NG/MF API endpoints.

A second vulnerability designated CVE-2024-1654  with a CVSSv3 score of 7.2 potentially allows an attacker who already has authenticated access to the admin console to carry out unauthorised write operations which may lead to remote code execution. Information only available to admin users is required to exploit this vulnerability.

The third vulnerability, which is designated CVE-2024-1882 and has a CVSSv3 score of 7.2, allows an attacker who already has authenticated access to the admin console to execute code on the PaperCut Application Server in the context of SYSTEM  (Windows) or the PaperCut user (macOS/Linux). This vulnerability only applies to organisations who have installed the Job Ticketing module (not installed by default).

Another four vulnerabilities, rated medium severity or below, include a Server Side Request Forgery (SSRF) vulnerability, a reflected cross-site scripting vulnerability, incorrect authorisation controls, and improper access controls, and are addressed by this advisory.

Previous exploitation of vulnerabilities in PaperCut MF/NG Server

Note: PaperCut MF/NG Server vulnerabilities have previously been targeted by cyber criminals. Affected organisations are encouraged to update to fixed versions as soon as practicable.

Remediation advice

Affected organisations are encouraged to review the PaperCut NG/MF Security Bulletin and apply the relevant security updates.

CVE Vulnerabilities

Status Published

CVE-2024-1222

This vulnerability could potentially allow privilege escalation on PaperCut NG/MF servers. This vulnerability uses a maliciously formed API request against a misconfigured API endpoint. This only applies to a small subset of PaperCut NG/MF API endpoints. 
Status Published

CVE-2024-1654

This vulnerability potentially allows an attacker who already has authenticated access to the admin console to carry out unauthorized write operations which may lead to remote code execution. Information only available to admin users is required to  exploit this vulnerability.
Status Published

CVE-2024-1882

This vulnerability only applies to organizations who have installed the Job Ticketing module (not installed by default)

This vulnerability allows an attacker who already has authenticated access to the admin console to execute code on the PaperCut Application Server in the context of SYSTEM  (Windows) or the papercut user (macOS/Linux).
Status Published

CVE-2024-1884

This vulnerability could potentially allow an attacker to make an HTTP request look like it came from a PaperCut NG/MF application server. This is known as Server Side Request Forgery (SSRF) and could be used to mask an attacker’s identity.
Status Published

CVE-2024-1883

This is a reflected cross site scripting vulnerability in the PaperCut NG/MF application server. An attacker can exploit this weakness by crafting a malicious URL that contains a script. When an unsuspecting user clicks on this malicious link, it could potentially lead to limited loss of confidentiality, integrity or availability (e.g. scraping of information on the PaperCut NG/MF admin interface dashboard tab).
Status Published

CVE-2024-1223

This vulnerability could be used to enumerate some information from the embedded device APIs. Some amount of reconnaissance and knowledge of the environment and tokens is required. 
 
Status Published

CVE-2024-1221

This vulnerability does not apply to Windows PaperCut NG/MF application servers. 
This vulnerability potentially allows files on a Linux/macOS PaperCut NG/MF server to be exposed using a specifically formed payload against an API endpoint. 

Last edited: 14 March 2024 4:59 pm