PaperCut Unauthenticated Remote Code Execution (RCE) Vulnerability (CVE-2023-39143)
Dark Lab on Aug 08 2023
Share:
CVE-2023-39143 refers to two path traversal vulnerabilities that may be chained together by malicious actors to read and write arbitrary files. Successful exploitation enables an unauthenticated attacker to read, delete, and upload arbitrary files to the PaperCut MF/NG server to achieve RCE in certain configurations.
The vulnerability only impacts PaperCut servers running on Windows. Exploitation is conditional, requiring the attacker to have direct server IP access and RCE via file upload is only possible when the external device integration setting is enabled. This setting is enabled by default on certain installations of PaperCut (e.g. PaperCut NG Commercial version or PaperCut MF).
Whilst CVE-2023-39143 has not been observed to be exploited in the wild as at the time of writing, we observed mass exploitation of a similar unauthenticated RCE vulnerability CVE-2023-27350 in April 2023 which was weaponised by opportunistic ransomware groups (e.g. Cl0p, LockBit, Bl00dy ransomware), as well as multiple advanced persistent threat (APT) actors.
The vendor has released a patch to remediate CVE-2023-39143. A temporary workaround until the patch can be applied is to configure an allowlist of device IP addresses that are allowed to communicate with your Internet-facing PaperCut server.
https://www.papercut.com/kb/Main/SecureYourPaperCutServer/
https://www.horizon3.ai/cve-2023-39143-papercut-path-traversal-file-upload-rce-vulnerability/
https://www.rapid7.com/blog/post/2023/05/17/etr-cve-2023-27350-ongoing-exploitation-of-papercut-remote-code-execution-vulnerability/
The vulnerability only impacts PaperCut servers running on Windows. Exploitation is conditional, requiring the attacker to have direct server IP access and RCE via file upload is only possible when the external device integration setting is enabled. This setting is enabled by default on certain installations of PaperCut (e.g. PaperCut NG Commercial version or PaperCut MF).
Whilst CVE-2023-39143 has not been observed to be exploited in the wild as at the time of writing, we observed mass exploitation of a similar unauthenticated RCE vulnerability CVE-2023-27350 in April 2023 which was weaponised by opportunistic ransomware groups (e.g. Cl0p, LockBit, Bl00dy ransomware), as well as multiple advanced persistent threat (APT) actors.
The vendor has released a patch to remediate CVE-2023-39143. A temporary workaround until the patch can be applied is to configure an allowlist of device IP addresses that are allowed to communicate with your Internet-facing PaperCut server.
https://www.papercut.com/kb/Main/SecureYourPaperCutServer/
https://www.horizon3.ai/cve-2023-39143-papercut-path-traversal-file-upload-rce-vulnerability/
https://www.rapid7.com/blog/post/2023/05/17/etr-cve-2023-27350-ongoing-exploitation-of-papercut-remote-code-execution-vulnerability/