Choose your language

Choose your login

Support

PaperCut NG/MF Security Bulletin (August 2023)

THE PAGE APPLIES TO:

Executive Summary / tl;dr

Clarification of GhostScript vulnerabilities in the news, and a potential CSRF issue has been found in Mobility Print (fixed via auto update).

Clarification of GhostScript Security

There has recently been some GhostScript vulnerabilities in the news. If you’re using GhostTrap, then you have significant protection against GhostScript exploits.

Why? Back in 2012 the PaperCut engineering team discovered a number of bugs in GhostScript that could potentially lead to vulnerabilities, and these were reported to the GhostScript team at the time. With our security focused mindset this worried us so we started a new open-source project called GhostTrap . GhostTrap brings best of breed sandboxing technology out of Google Chrome to protect against issues that may exist with the GhostScript code. All of PaperCut’s products and setup documentation for Windows platforms use GhostTrap, and we can confirm that we have reviewed recent exploits and checked that the sandboxing measures of GhostTrap offer the protection as expected.

See our GhostScript Vulnerabilities KB for more information.

In line with best practice we will be updating GhostTrap in the near future however NO urgent action is required. For organisations running Linux and macOS servers, if the inbuilt GhostScript is utilised, we recommend making sure the OS system updates are being applied.

Security Issues Addressed

Address potential CSRF attack in Mobility Print (CVE-2023-2508)

Mobility Print is auto updating and a fix for this has already been deployed to customers who have auto-updates enabled. Customers who have disabled Mobility Print auto-updates are encouraged to review their Mobility Print version.

We want to thank the security researchers at FluidAttacks, in particular Carlos Bello. This issue could allow a malicious actor to craft a link that is sent to an authenticated administrator that could lead to changing Mobility Print settings.

This vulnerability has been rated with a CVSS score of 4.8: (CVSSv3 Vector: AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N )

Note: FluidAttacks are looking to publicly disclose additional information in the upcoming weeks.

Impacted Product Status

  • This CVE only impacts PaperCut Mobility Print. No other products are impacted.
 CVE-2023-2508
Potential Denial of Service Issue
What versions are VULNERABLE?PaperCut Mobility Print versions prior to 1.0.3582, on all OS platforms (excluding fixed versions named below).
What versions are FIXED?Version 1.0.3582 or later
Which PaperCut MF or NG components are impacted?PaperCut Mobility Print
Which PaperCut components or products are NOT impacted?* PaperCut NG/MF Application servers
* PaperCut NG/MF site servers
* PaperCut NG/MF secondary servers (Print Providers)
* PaperCut NG/MF Direct Print Monitors (Print Providers)
* PaperCut MF MFD Embedded Software
* PaperCut Hive
* PaperCut Pocket
* Print Deploy
* PaperCut User Client software
* PaperCut Multiverse
* Print Logger
* Job Ticketing

FAQs

Q Where can I get the upgrade?

The Mobility Print Server should auto-update by default. You can confirm that you’re running the fixed version by logging into the Mobility Print administration interface (use a browser to connect to your Mobility Print Server at http://[server]:9163/admin, or if you’re using PaperCut MF/NG, head into the MF/NG admin interface, then navigate to Enable Printing > Mobile & BYOD > Mobility Print).

The version number can be seen in the top right hand corner of the Mobility Print admin interface.

If you have deactivated auto-updates, you can manually update your Mobility Print server by following the instructions in the Manually updating your Mobility Print server section.

Q What products are impacted by these vulnerabilities?

Only PaperCut Mobility Print - see the “Impacted Product Status” section above for a detailed list.

Q Is there anything I should be aware of before applying the upgrade?

No - there is no other impact from upgrading.

Security notifications

“How do I sign-up for paperCut’s security mailing list?”

In order to get timely notifications of security news (including security related fixes or vulnerability information) please subscribe to our security notifications list via our Security notifications sign-up form. If you’re a sys admin or if you look after PaperCut product implementations at your organization, this list will help you be amongst the first to hear of any security related news or updates.

Updates

DateUpdate/Action
17th August 2023 (AEST)Publicly released PaperCut Mobility Print version 1.0.3582 (contains security improvements and vulnerability fixes identified above).
28th August 2023 (AEST)Published this Security bulletin.
28th August 2023 (AEST)Sent email notification to the PaperCut security notifications subscriber list.

Categories: FAQ , Security and Privacy


Comments

Last updated June 13, 2024