overview

Two vulnerabilities tracked as CVE-2023-27350 and CVE-2023-27351 have been found in PaperCut, a print management software solution used by over 100 million users from 70,000 organizations. The most recent attacks on PaperCut servers are coming from the Clop and LockBit ransomware operations.  

CVE-2023-27350, which has a critical CVSS score of 9.8, affects all versions of PaperCut MF or NG 8.0 or later. The vulnerability impacts both application and site servers across all operating system platforms. PaperCut’s advisory states that under certain circumstances the vulnerability allows for unauthenticated attackers to obtain Remote Code Execution (RCE) on a PaperCut ApplicationServer, without the need to log in.  

The second vulnerability, CVE-2023-27351, has a high CVSS score of 8.2 and permits unauthenticated information disclosure on PaperCut MF or NG 15.0 or later, specifically on application servers, across all OS platforms. PaperCut’s advisory states that under certain circumstances an unauthenticated attacker could pull information about a user including usernames, email addresses, and full names. The attacker could also obtain hashed passwords for internal PaperCut-created users.  

Earlier in the month, PaperCut confirmed that the vulnerabilities were being actively exploited. A few days after disclosure, a PoC for CVE-2023-27530 was released, which allowed attackers to breach servers using the exploits. Papercut has issued patches to address the vulnerabilities and recommends that all admins upgrade their servers to the latest version.  

 

 

avertium's recommendations

  • Avertium recommends patching immediately. For patch guidance regarding CVE-2023-27350 and CVE-2023-27351, please see PaperCut’s advisory 
  • If you are unable to patch, PaperCut recommends locking down network access to the server(s), especially if you have an older application version that doesn’t have a minor patch available. See PaperCut’s guidance below: 
    • Block all inbound traffic from external IPs to the web management port (port 9191 and 9192 by default) 
    • Block all traffic inbound to the web management portal on the firewall to the server. Note: this will prevent lateral movement from internal hosts, but management of the PaperCut service can only be performed on that asset. 
    • Apply “Allow list” restrictions under Options > Advanced > Security > Allowed site server IP addresses. Set this to only allow the IP addresses of verified Site Servers on your network. Note this only addresses ZDI-CAN-19226 / PO-1219 
  • The following PaperCut versions are impacted by CVE-2023-27350:  
    • PaperCut MF or PaperCut NG version 8.0 or later, on all OS platforms 
    • PaperCut MF or PaperCut NG Application Servers 
    • PaperCut MF or PaperCut NG Site Servers 
  • The following PaperCut versions are impacted by CVE-2023-27351: 
    • PaperCut MF or PaperCut NG version 15.0 or later, on all OS platforms 
    • PaperCut MF or PaperCut NG ApplicationServer

 

 

INDICATORS OF COMPROMISE (IoCs)

FileHash-MD5 

  • 46fe07c07fd0f45ba45240ef9aae2a44 

FileHash-SHA1 

  • b918f97c7c6ebc9594de3c8f2d9d75ecc292d02b 

FileHash-SHA256 

  • c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125 

Domain 

  • anydeskupdate[.]com 
  • anydeskupdates[.]com 
  • netviewremote[.]com 
  • updateservicecenter[.]com 
  • windowcsupdates[.]com 
  • windowservicecemter[.]com 
  • windowservicecentar[.]com 
  • windowservicecenter[.]com 
  • winserverupdates[.]com

Hostname 

  • upd488[.]windowservicecemter[.]com 

 

 

How Avertium is Protecting Our CUSTOMERS

  • Avertium recommends utilizing our service for DFIR (Digital Forensics and Incident Response) to help you rapidly assess, contain, eradicate, and recover from a security incident like a malware attack. 
  • Fusion MXDRis the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts. 
  • Minimizing the impact of a successful ransomware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 
  • Avertium offers Zero Trust Network as a Service (ZTNaaS) for any organization that wants to control their attack surface. The zero-trust security model delivers exactly what the name promises: it is an IT security concept that specifies no access is allowed until the successful completion of authentication and authorization processes.   





 

 

SUPPORTING DOCUMENTATION

URGENT | PaperCut MF/NG vulnerability bulletin (March 2023) | PaperCut 

Update Now PaperCut Vulnerability CVE-2023-27350 Under Active Exploitation (trendmicro.com) 

PaperCut CVE-2023-27350 Deep Dive and Indicators of Compromise – Horizon3.ai 

Microsoft: Clop and LockBit ransomware behind PaperCut server hacks (bleepingcomputer.com) 
Chat With One of Our Experts



Flash Notice Critical Vulnerability PaperCut PaperCut Vulnerability Blog