Choose your language

Choose your login

Support

How can we help?

Lightbulb icon
Lightbulb icon

Here’s your answer

Sources:

Lightbulb icon

Oops!

We currently don’t have an answer for this and our teams are working on resolving the issue. If you still need help,
User reading a resource

Popular resources

Conversation bubbles

Contact us

PaperCut NG/MF Security Bulletin (November 2023)

THE PAGE APPLIES TO:

Security Issues Addressed

Privilege escalation vulnerability (CVE-2023-6006)

(also known as PIE-547).

We want to thank the security researchers at Trend Micro (Amol Dosanjh of Trend Micro and Michael DePlante of Trend Micro Zero Day Initiative) who reported: “This vulnerability allows local attackers to escalate privileges on affected installations of PaperCut NG. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.”

A potential exploit would require all of the following to be true:

  • PaperCut NG/MF Application Server (earlier than version 23.0.1) is running on a Windows platform (macOS and Linux are not impacted by this vulnerability).
  • Malicious actor has write access to the Application Server’s local hard drive.
  • Malicious actor has the ability to execute low-privileged code on the target server.
  • Print Archiving feature is enabled, without GhostTrap installed.

This vulnerability has been rated with a CVSS score of 7.8[1]: (CVSSv3 Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H )

Note: Trend Micro are looking to publicly disclose additional information about this. While the Trend Micro advisory may only mention PaperCut NG, we have confirmed that this impacts both PaperCut NG and PaperCut MF (see Impacted Product Status table below).

[1] Sep 2024: Scoring amended.

A note about the timing of this bulletin

We publicly released PaperCut MF and NG version 23.0.1 on 31st October, 2023. This security bulletin and information about CVE-2023-6006 was then published on 14th November 2023. This delay was so that customers can have a head-start on upgrading to a non-vulnerable version.

We have now retroactively added the release note for PIE-547 into the 23.0.1 release notes , and published this security bulletin including details of the manual mitigation.

Impacted Product Status

 

CVE-2023-6006
(Fix ID: PIE-547)

What versions are VULNERABLE?

PaperCut NG/MF Application Servers where all of the following are true:

  • PaperCut NG/MF Application Server (earlier than version 23.0.1) is running on a Windows platform (macOS and Linux are not impacted by this vulnerability).

  • Malicious actor has write access to the Application Server’s local hard drive.

  • Malicious actor has the ability to execute low-privileged code on the target server.

  • Print Archiving feature is enabled, without GhostTrap installed.

What versions are FIXED?

Application Servers running version 23.0.1 or later

Which PaperCut MF or NG components are impacted?

Application Servers are impacted.

Which PaperCut components or products are NOT impacted?

  • PaperCut NG/MF site servers

  • PaperCut NG/MF secondary servers (Print Providers)

  • PaperCut NG/MF Direct Print Monitors (Print Providers)

  • PaperCut MF MFD Embedded Software

  • PaperCut Hive

  • PaperCut Pocket

  • Print Deploy

  • Mobility Print

  • PaperCut User Client software

  • PaperCut Multiverse

  • Print Logger

  • Job Ticketing


Note that this only impacts Application Servers running on Windows platforms. Linux or macOS platforms are not impacted.

Are there any other mitigations available?

Yes. If you’re unable to immediately update to 23.0.1 or later, there are other mitigation options listed below under How do I mitigate this vulnerability?

Credit

Amol Dosanjh of Trend Micro and Michael DePlante (@izobashi) of Trend Micro's Zero Day Initiative

FAQs

Q Where can I get the upgrade?

The Check for updates button in the PaperCut NG/MF admin interface allows customers to download the latest version of PaperCut NG or MF. You will find this at PaperCut NG/MF Admin interface > About > Version info > Check for updates.

You can also find your PaperCut partner or reseller information on the Help tab (or About tab in older versions) on the PaperCut Web admin interface.

Alternatively, direct downloads are available on the upgrade page . It’s easy to identify your edition of PaperCut - it’s on the About tab and in the footer of your PaperCut Web admin login.

Q How do I tell if my Application Server is at risk?

All of the following need to be true for your Application Server to be at risk:

  • PaperCut NG/MF Application Server (earlier than version 23.0.1) is running on a Windows platform (macOS and Linux are not impacted by this vulnerability).
  • Malicious actor has write access to the Application Server’s local hard drive.
  • Malicious actor has the ability to execute low-privileged code on the target server.
  • Print Archiving feature is enabled, without GhostTrap installed.

Q How do I tell if I am using the Print Archiving feature?

In the PaperCut NG/MF admin interface, go to Options > General > Print Archiving.

  • If the Enable Print Archiving checkbox is not checked, then you are not using Print Archiving, and this vulnerability cannot be exploited.
  • If the Enable Print Archiving checkbox is checked, then you are using Print Archiving and the vulnerability could potentially be exploited if all of the other points above in “How do I tell if my Application Server is at risk” are true.

Q If I am using Print Archiving, how do I tell if I have installed GhostTrap?

In the PaperCut NG/MF admin interface, go to Options > General > Print Archiving. In the Status box, check to see what is listed next to the Viewing supported for line:

  • If Viewing supported for lists e.g. EMF, PCL5, PCL6, PDF, PostScript, XPS then GhostTrap is installed, and this vulnerability cannot be exploited.
  • If Viewing supported for only lists e.g. PDF, PostScript then GhostTrap is not installed, and this vulnerability could be exploited, if all of the other points above in How do I tell if my Application Server is at risk? are true.

Q How do I mitigate this vulnerability?

If all of the points under How do I tell if my Application Server is at risk? are true, there are several options to mitigate this vulnerability:

  1. Upgrade your Application Server to version 23.0.1 or later (see Where can I get the upgrade? above).
  2. If you’re unable to upgrade to version 23.0.1 or later, and turning off Print Archiving is an option, you can switch that off under Options > General > Print Archiving, then uncheck Enable Print Archiving.
  3. If you’re unable to upgrade to version 23.0.1 or later, and you need to continue using Print Archiving, then ensure ghostTrap is installed in C:\Program Files\GhostTrap. See Set up Print Archiving (Step 1) for more information.
  4. If you’re unable to upgrade to version 23.0.1 or later, and you need to continue using Print Archiving, and you don’t want to install GhostTrap, then you can create a directory on your Application Server file system: C:\gs\bin and remove write permissions for all accounts except administrators.
  5. If none of the above suit your environment, you can download a fixed version of the pc-pdl-to-image.exe and replace it on your Application Server. See How do I manually replace the pc-pdl-to-image.exe binary? below for more information.

Q How do I manually replace the pc-pdl-to-image.exe binary?

Only use this fix if you have looked through the section How do I mitigate this vulnerability above, and Option 5 is the only option you’re able to implement.

Note: if you are using PaperCut NG or MF version 23.0.1 or later, you do not need to perform these steps - you already have the latest patched version.

  1. Download the updated (patched) pc-pdl-to-image.exe binary from the PaperCut CDN: https://cdn.papercut.com/files/general/pc-pdl-to-image.zip .
  2. Unzip pc-pdl-to-image.zip to get the pc-pdl-to-image.exe binary. (If you wish to verify the SHA256 checksum this is: 5be6a8a817a3fc30fb4a56bff527b51a452d8d84ae1d3d5632d83d2674bcbbb6).
  3. In [App Server install directory]\server\bin\win (e.g. C:\Program Files\PaperCut MF\server\bin\win) rename pc-pdl-to-image.exe to pc-pdl-to-image.bak
  4. Copy the downloaded (patched) pc-pdl-to-image.exe to [App Server install directory]\server\bin\win\.

Note 1: A service restart is not required for this change to take effect.

Note 2: If you subsequently upgrade to any other version earlier than 23.0.1 (e.g. if you apply this mitigation on 22.1.3, then you upgrade from 22.1.3 to 22.1.4) you will need to re-apply this mitigation - since the replaced binary will be re-written with an unpatched one.

Note 3: If you are upgrading to 23.0.1 or later, you will not need to apply this manual mitigation since the fix is included in 23.0.1 and later.

Note 4: The full list of fixes for the patched executable include:

  • Fix for CVE-2023-39471 (the vulnerability described above) [PIE-547] (fixed in PaperCut NG and MF version 23.0.1).
  • Fix for an issue that caused thumbnail image generation to fail for archived PostScript spool files. [PIE-216] (fixed in PaperCut NG and MF version 22.0.9).

Q What products are impacted by these vulnerabilities?

See the Impacted Product Status section above for a detailed list.

Q I am running a 20.x, 21.x or 22.x version - is there an updated build containing the fix?

No - since this vulnerability can be mitigated using multiple options (see How do I mitigate this vulnerability? above) this fix will only be included in 23.0.1 and later.

Q Is there anything I should be aware of before applying the upgrade?

Yes, potentially. If you are upgrading from a version prior to 22.1.1 you should read the upgrade checklist for 22.1.1 . If you’re already on version 22.1.1 or later, you don’t need to check through this again.

Q I am running an old version. Do I need to upgrade to a prior version before upgrading to 23.0.1?

No. This release includes all previous fixes released, and you can upgrade directly to this release from any previous version of PaperCut NG/MF.

Q Why did PaperCut retroactively update a CVE that was already published?

When we receive a security issue report, we carefully assess the vulnerability and score it based on the examples provided in First.

After extensive conversations with researchers who reported this issue, we agreed that in most installations, the default Windows Server configuration would typically restrict console login access to Administrators only. However, this vulnerability could pose a risk to customers who allow non-administrative users to log in to the local console of the PaperCut NG/MF application server hosted on Windows, either through deliberate actions, misconfiguration or other vulnerabilities allowing users to access the server.

Based on this information, the CVE has been rescored with a “Privileges Required (PR)” rating of low, and “Attack Complexity (AC)” rating of low reflecting the worst-case scenario where an Administrator has granted local login access to standard users on the host server. This rescore is NOT due to new paths of attack and this issue remains fixed as of PaperCut NG/MF 23.0.1.

Security notifications

“How do I sign-up for paperCut’s security mailing list?”

In order to get timely notifications of security news (including security related fixes or vulnerability information) please subscribe to our security notifications list via our Security notifications sign-up form. If you’re a sys admin or if you look after PaperCut product implementations at your organization, this list will help you be amongst the first to hear of any security related news or updates.

Updates

Date

Update/Action

31st October, 2023 (AEDT)

Publicly released PaperCut NG/MF version 23.0.1 (contains vulnerability fixes identified above).

14th November, 2023 (AEDT)

Published this Security bulletin.

14th November, 2023 (AEDT)

Published CVE-2023-6006.

16th November, 2023 (AEDT)

Sent email notification to the PaperCut security notifications subscriber list.

26th September, 2024 (AEDT)

Updated CVE-2023-6006 scoring and added a new FAQ.

26th September, 2024 (AEDT)

Sent email notification to the PaperCut security notifications subscriber list.

1st October, 2024 (AEST)

Adding credits to the CVE text.


Categories: FAQ , Security and Privacy


Comments

Last updated October 1, 2024