PaperCut NG/MF Security Bulletin (June 2023)
Executive Summary / tl;dr
We have released the first in a series of security hardening updates for PaperCut NG/MF. The majority of improvements focus on preemptively reducing the attack surface and adding layers of security defense.
PaperCut Software would like to thank the external research community, many of whom have lent in over the past month or so to help harden PaperCut NG/MF, given the current security environment. This release takes inputs from internal application security architecture reviews, ongoing penetration testing, and security auditing conducted by internal and external researchers.
We recommend all customers upgrade to this release.
Security hardening measures
The 22.1.1 release contains security hardening features designed to uplift default security and provide additional layers of protection. In particular, we’ve added configuration and new defaults to make it hard for attackers to initiate a chained attack using PaperCut NG/MF.
These include the introduction of a new security.properties
file to separate the configuration of some components from the web administration interface. These include:
- Print Scripting and Device Scripting settings, such as the ability to run executables and unsafe code from scripts
- Explicit granting of permission to run external executables such as those used with custom authentication providers and other plugins
For the vast majority of customers, no action will be required after the upgrade. Customers who are using scripting features may have additional configuration steps, which are outlined in the upgrade checklist.
Release notes are available at the following pages:
Please note that these security hardening measures also resolve a ‘chained’ vulnerability that Trend Micro subsequently raised as CVE-2023-39469 (also known as ZDI-CAN-20965) which references the ability to configure scripts to call executables once you have gained admin access to PaperCut MF/NG. As above, this is fixed in version 22.1.1 as part of the “Introduced security hardening layer through security.properties file” changes. The vulnerability has been rated with a CVSS score of 6.5: ( CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:X ).
CVEs addressed
This release also addresses two recently identified vulnerabilities reported by security researchers:
- CVE-2023-31046
- CVE-2023-2533
- CVE-2023-39469 (see security hardening measures, above)
PaperCut Software would like to thank the external research community, many of whom have lent in over the past month or so to help harden PaperCut NG/MF, given the current security environment. We’d like to specifically thank Chris McCurley at Aura Information Security and Carlos Andrés Bello at Fluid Attacks for their recent efforts in identifying and reporting these to us.
CVE-2023-31046 - Path Traversal vulnerability
A Path Traversal vulnerability has been identified in our Application Server and Site Server. Under specific conditions, this could potentially allow an attacker read-only access to the server’s file system.
Recommendation: Upgrade to PaperCut NG/MF version 22.1.1 or later.
This vulnerability has been rated with a CVSS score of 7.2: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/RL:O/RC:C).
Note: Aura Information Security subsequently published an additional disclosure on their website in August 2023.
CVE-2023-2533 - Cross-Site Request Forgery (CSRF) vulnerability
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PaperCut NG/MF, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code. This could be exploited if the target is an admin with a current login session. Exploiting this would typically involve the possibility of deceiving an admin into clicking a specially crafted malicious link, potentially leading to unauthorized changes.
Recommendation: Upgrade to PaperCut NG/MF version 22.1.1 or later.
This vulnerability has been rated with a CVSS score of 7.9: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C/CR:M/IR:M/AR:M/MAV:N/MAC:L/MPR:H/MUI:R/MS:C/MC:H/MI:H/MA:H).
Impacted Product Status
PaperCut products impacted:
CVE-2023–31046 (also known as PO-1277) | CVE-2023–2533 (also known as PO-1366) | |
What versions are VULNERABLE? | PaperCut NG and MF versions from 21.2.0 up to 22.0.12 (inclusive) on all OS platforms (excluding fixed versions named below.) | All PaperCut NG and MF versions prior to 22.1.1 on all OS platforms (excluding fixed versions named below). |
What versions are FIXED? | * version 22.1.1 or later * version 21.2.12 Note: there is no fix for version 20 since this specific issue doesn’t impact version 20 | * version 22.1.1 or later * version 21.2.12 * version 20.1.8 |
Which PaperCut MF or NG components are impacted? | Application Servers and Site Servers are impacted | Application Servers are impacted |
Which PaperCut components or products are NOT impacted? | * PaperCut NG/MF secondary servers (Print Providers) * PaperCut NG/MF Direct Print Monitors (Print Providers) * PaperCut MF MFD Embedded Software * PaperCut Hive * PaperCut Pocket * Print Deploy * Mobility Print * PaperCut User Client software * PaperCut Multiverse * Print Logger | * PaperCut NG/MF site servers * PaperCut NG/MF secondary servers (Print Providers) * PaperCut NG/MF Direct Print Monitors (Print Providers) * PaperCut MF MFD Embedded Software * PaperCut Hive * PaperCut Pocket * Print Deploy * Mobility Print * PaperCut User Client software * PaperCut Multiverse * Print Logger |
Recommended customer actions
-
Read the upgrade checklist for 22.1.1. This checklist details all changed security configurations and recommended actions you might need to take for your specific environment.
-
Upgrade to PaperCut NG/MF version 22.1.1 referring to our Upgrade guide and your regular change processes, implementing any configuration changes required.
-
Subscribe to our Security Notifications mailing list to stay up to date.
FAQs
Q Where can I get the upgrade?
The Check for updates link in the PaperCut NG/MF admin interface allows customers to download the latest version of PaperCut NG or MF. You will find this at PaperCut NG/MF Admin interface > About > Version info > Check for updates.
You can also find your PaperCut partner or reseller information on the Help tab (or About tab in older versions) on the PaperCut Web admin interface.
Alternatively, direct downloads are available on the upgrade page. It’s easy to identify your edition of PaperCut - it’s on the About tab and in the footer of your PaperCut Web admin login.
Q What products are impacted by these vulnerabilities?
See the “Which versions are vulnerable” and “Which versions are fixed” rows in the Impacted Product Status table above for a detailed list.
Q Is there anything I should be aware of before applying the upgrade?
Yes, potentially. After installing this update, some features you use might require additional configuration. Before upgrading you should read the upgrade checklist for 22.1.1.
Q I am running an old version. Do I need to upgrade to a prior version before upgrading to 22.1.1?
No. This release includes all previous fixes released, and you can upgrade directly to this release from any previous version of PaperCut NG/MF.
Q I’m running version 20.x or 21.x and due to operational reasons, I can’t upgrade to 22. Are hotfixes available for these older versions?
The security hardening improvements listed above are only available for version 22 onwards. We recommend upgrading your PaperCut environment to version 22.1.1 or later.
If you are unable to upgrade to version 22.1.1 or later, we are also providing updates for currently supported older versions as below. To get these downloads, see the “Where can I get the upgrade?” question above.
Summary of fixed builds provided:
Version | Notes |
22.1.1 | * Includes security hardening improvements. * Includes fixes for CVE-2023–31046 and CVE-2023–2533. Release notes for PaperCut MF and PaperCut NG. |
21.2.12 | * Includes fixes for CVE-2023–31046 and CVE-2023–2533. * Does not include any additional security hardening improvements. Release notes for PaperCut MF and PaperCut NG. |
20.1.8 | * Includes fix for CVE-2023–2533 (CVE-2023–31046 only impacts version 21.2.0 and later). * Does not include any additional security hardening improvements. Release notes for PaperCut MF and PaperCut NG. |
Version 19 and earlier | Versions 19 and older are now “end of life”, as documented on our End of Life Policy page. We recommend purchasing an updated license, which you can do online if you’re using PaperCut NG, or through your PaperCut Partner if you’re using PaperCut MF. You can find your PaperCut Partner contact information through the About or Help tab in the PaperCut administration interface. |
Security notifications
“How do I sign-up for paperCut’s security mailing list?”
In order to get timely notifications of security news (including security related fixes or vulnerability information) please subscribe to our security notifications list via our Security notifications sign-up form. If you’re a sys admin or if you look after PaperCut product implementations at your organization, this list will help you be amongst the first to hear of any security related news or updates.
Updates
Date | Update/Action |
8th June 2023 (AEST) | Publicly released PaperCut NG/MF version 22.1.1 (contains security improvements and vulnerability fixes identified above). |
8th June 2023 (AEST) | Published this Security bulletin. |
8th June 2023 (AEST) | Sent email notification to the PaperCut security notifications subscriber list. |
7th August 2023 (AEST) | Updated with confirmation that the follow-up CVE-2023-39469 (ZDI-CAN-20965) has also been resolved in 22.1.1. |
22nd August 2023 (AEST) | Updated with link to Aura Information Security disclosure for CVE-2023-31046. |
Categories: FAQ , Security and Privacy
Keywords:
Last updated June 13, 2024
Comments