The recently discovered critical security vulnerability in PaperCut’s NG/MF print management software, tracked as CVE-2023-39143 (NVD), has brought attention to the potential risks posed by unpatched Windows servers. This flaw allows unauthenticated attackers to execute remote code, leading to significant security concerns. The bug was originally discovered and reported by Horizon3, you can read their report here.

The vulnerability is a result of two path traversal weaknesses, which allow threat actors to read, delete, and upload arbitrary files on compromised systems. These attacks are of low complexity and do not require user interaction, making them particularly dangerous. The flaw primarily impacts servers in non-default configurations where the external device integration setting is enabled, a setting reportedly active on most Windows PaperCut servers.

Previous PaperCut Vulnerabilities and Threat Actor Profiles

Earlier this year, PaperCut servers were targeted by several ransomware gangs exploiting another critical unauthenticated RCE vulnerability CVE-2023–27350 (NVD) and a high-severity information disclosure flaw CVE-2023–27351 (NVD). These vulnerabilities were actively exploited, leading to urgent calls for server upgrades.

The ransomware gangs involved included Clop and LockBit, both known for their aggressive tactics and data theft operations. They leveraged the ‘Print Archiving’ feature of PaperCut printing servers to steal corporate data from compromised systems.

Additionally, Iranian state-backed hacking groups, Muddywater and APT35, were also involved in these attacks. These groups are known for their sophisticated tactics and persistent threats, often targeting critical infrastructure and high-value targets.

Verifying if your system(s) are vulnerable

You can verify if your system is vulnerable by using the following command: curl -w "%{http_code}" -k --path-as-is "https://<IP>:<port>/custom-report-example/..\\..\\..\\deployment\\sharp\\icons\\home-app.png". A 200 response indicates the server needs patching.

In terms of MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs), this vulnerability relates to several key areas:

The Cascading Effect of Vulnerabilities in PaperCut

The announcement of CVE-2023-39143 is a prime example of the cascading effect of vulnerability discovery, a phenomenon detailed in this article. This effect, where the announcement of a vulnerability in a product triggers further vulnerability discoveries in the same product, is a significant factor in the cybersecurity landscape.

This pattern of vulnerability discovery following the announcement of a CVE is a clear demonstration of the cascading effect in action. It is crucial for organisations to stay vigilant and continuously monitor their systems for vulnerabilities, even after patching a known issue. This is because the announcement of a CVE often triggers a cascade of further vulnerability discoveries in the same product. As such, organisations should not only focus on patching known vulnerabilities but also invest in proactive threat hunting and continuous monitoring to detect and address new vulnerabilities as they emerge.

The cascading effect of vulnerability discovery underscores the importance of a robust cybersecurity strategy that includes regular patching, continuous monitoring, and proactive threat hunting. By staying vigilant and adapting to the evolving threat landscape, organisations can better protect their systems and data from the cascading vulnerabilities in software like PaperCut.

In conclusion, the PaperCut vulnerability CVE-2023-39143, along with previous vulnerabilities, present significant threats to unpatched Windows servers. It is crucial for system administrators to apply the necessary patches and keep their systems updated to mitigate these risks.