How to find PaperCut services on your network

Updated

Latest PaperCut services vulnerability #

PaperCut recently revealed that two products in its popular line of print server software contain severe vulnerabilities currently being exploited in the wild. Reported via the Trend Micro Zero Day Initiative, these vulnerabilities can be exploited by unauthenticated attackers to achieve remote code execution as the SYSTEM user (CVE-2023-27350/ZDI-CAN-18987) or information disclosure, including user information and password hashes (CVE-2023-27351/ZDI-CAN-19226).

What is the impact? #

With a CVSS score of 9.8 (“critical”), CVE-2023-27350/ZDI-CAN-18987 exists in the SetupCompleted class and can be leveraged for unauthenticated remote code execution due to improper access control. The Application Server and Site Server components of PaperCut MF and NG product versions 8.0 and later contain this flaw.

CVE-2023-27351/ZDI-CAN-19226 has been assigned a CVSS score of 8.2 (“high”) and exists in the SecurityRequestFilter class as a flaw in the authentication algorithm, allowing for unauthenticated information disclosure. The Application Server component of PaperCut MF and NG product versions 15.0 and later contain this flaw.

PaperCut’s website claims over 130 million users of their products across almost 90,000 organizations in almost 200 countries, including government, commercial, and educational users. Coupled with the substantial list of affected product versions and exploitation of these vulnerabilities already observed happening in the wild, the impact could be quite broad. Trend Micro will defer disclosing more details on these vulnerabilities until next month in order to give PaperCut customers time to patch.

While a definitive indicator of compromise doesn’t exist in detecting exploitation of these vulnerabilities on a target, PaperCut does offer some clues one can look for.

Are updates available? #

Last month, PaperCut released patched versions 20.1.7, 21.2.11, and 22.0.9 which fix these vulnerabilities. Older unsupported/end-of-life versions will not be receiving a patched update.

For admins who cannot patch immediately, PaperCut does provide a mitigation for CVE-2023-27351/ZDI-CAN-19226, but none is available currently for CVE-2023-27350/ZDI-CAN-18987.

How do I find potentially vulnerable PaperCut services with runZero? #

From the Services inventory, use the following prebuilt query to locate all PaperCut MF and NG servers in your network:

_asset.protocol:http and protocol:http and (http.body:"PaperCut MF is a print management system" OR last.http.body:"PaperCut MF is a print management system" OR http.body:"PaperCut NG is a print management system" OR last.http.body:"PaperCut NG is a print management system")
PaperCut query

As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.

Written by Pearce Barry

More about Pearce Barry
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.


Related Articles

Rapid Response
Finding Microsoft Message Queuing (MSMQ) Servers with runZero
A new pre-auth use-after-free vulnerability in the Microsoft Message Queuing (MSMQ) service is rated critical. Find impacted systems now with runZero.
Rapid Response
How to find Johnson Controls Software House iStar Pro Door Controller devices with runZero
Johnson Controls disclosed a vulnerability in their House iStar Pro Door Controller devices. See how to find it with runZero.
Rapid Response
How to find Uniview NVR301-04S2-P4 devices
Uniview has disclosed a vulnerability in their NVR301-04S2-P4 product. See how to find it with runZero.
Rapid Response
How to find Check Point devices
Check Point disclosed a serious vulnerability in Check Point Security Gateway devices with certain remote access software blades enabled. See how...

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved