Print management software developer PaperCut is warning customers to update their software immediately, as hackers are actively exploiting flaws to gain access to vulnerable servers.
PaperCut makes printing management software compatible with all major brands and platforms. It is used by large companies, state organizations, and education institutes, while the official website claims it serves hundreds of millions of people from over 100 countries.
The company says it received two reports from cybersecurity expert Trend Micro on January 10th, 2023, informing the company of two high and critical severity flaws impacting PaperCut MF/NG.
The two flaws are:
- ZDI-CAN-18987 / PO-1216: Unauthenticated remote code execution flaw impacting all PaperCut MF or NG versions 8.0 or later on all OS platforms, for both application and site servers. (CVSS v3.1 score: 9.8 – critical)
- ZDI-CAN-19226 / PO-1219: Unauthenticated information disclosure flaw impacting all PaperCut MF or NG versions 15.0 or later on all OS platforms for application servers. (CVSS v3.1 score: 8.2 – high)
Today, the software developer updated its March 2023 security bulletin to warn customers that the vulnerabilities are now actively exploited by hackers.
“As of 18th April, 2023 we have evidence to suggest that unpatched servers are being exploited in the wild, (particularly ZDI-CAN-18987 / PO-1216),” reads the advisory.
“As a precaution, we are not able to reveal too much about these vulnerabilities.”
Users of impacted versions are recommended to upgrade to PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9 and later. For more instructions on how to upgrade the products, check this guide.
Versions older than 19 have reached their “end of life” and are no longer supported, so PaperCut will not offer security updates for those releases. PaperCut recommends companies purchase an updated license if they use an older, unsupported version.
PaperCut has no mitigation for the first flaw, while the second can be mitigated by applying “Allow list” restrictions under “Options > Advanced > Security > Allowed site server IP addresses” and setting this only to allow the IP addresses of verified Site Servers on your network.
Check for compromised servers
PaperCut says there’s no way to determine with 100% certainty if a server has been breached but recommends that admins take the following steps to investigate:
- Look for suspicious activity in Logs > Application Log, within the PaperCut admin interface.
- Keep an eye out, in particular, for any updates from a user called [setup wizard].
- Look for new (suspicious) users being created or other configuration keys being tampered with.
- If your Application Server server logs are in debug mode, check to see if there are lines mentioning SetupCompleted at a time not correlating with the server installation or upgrade. Server logs can be found e.g. in [app-path]/server/logs/*.* where server.log is normally the most recent log file.
It is essential to underline that while the above might reveal malicious activity, it’s possible that attackers removed traces of their activities from logs.
Therefore, admins who suspect their servers were compromised are advised to take backups, wipe the Application Server, and rebuild everything from a safe backup point.