PaperCut NG/MF Security Bulletin (May 2024)
THE PAGE APPLIES TO:
Executive Summary
This security bulletin covers the improvements in the newly released versions of PaperCut NG/MF (version 23.0.9 and later). This includes third party dependency updates as part of our ongoing security initiatives. This release also includes fixes for the CVEs addressed in this bulletin.
While PaperCut has assessed these issues as posing a low security risk in practice, we recommend organizations with PaperCut NG/MF servers allowing console or local login access for non-admin users should prioritize this upgrade.
How to upgrade
Perform a standard over-the-top update . This is the simplest way to do it:
- Log in to the PaperCut NG/MF admin interface and click the About tab.
- Click the Check for updates button.
- Download the latest update.
- Install over-the-top of your existing PaperCut NG or MF server, as well as any Web Print Sandbox servers (listed under Enable Printing > Mobile & BYOD > Web Print).
- Done - the version under About > Version info should now show the latest version.
Security issues addressed
Issue | Notes | CVSS rating and vector |
Security improvements | Improvements in Web SSO | N. A. |
CVE-2024-3037 Arbitrary file deletion in PaperCut NG/MF Web Print (also known as "ZDI-CAN-20972" by Trend Micro) | An arbitrary file deletion vulnerability exists in PaperCut NG/MF, specifically affecting Windows servers with Credit: Nicholas Zubrisky (@NZubrisky) and Michael DePlante (@izobashi) of Trend Micro's Zero Day Initiative | 7.8 CVSSv3 Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H[1] |
CVE-2024-8404[2] Arbitrary File Deletion in PaperCut NG/MF Web Print Hot folder (also known as “ZDI-CAN-23757” by Trend Micro) | This vulnerability has split from CVE-2024-3037, which has been previously reported and patched. Up-to-date servers do NOT need to take any action as it's already patched. It has been split to allow the researchers (Trend Micro ZDI) to attribute two instances of the same vulnerability type to different reporters. An arbitrary file deletion vulnerability exists in PaperCut NG/MF, specifically affecting Windows servers with Credit: Amol Dosanjh, Nicholas Zubrisky (@NZubrisky) and Michael DePlante (@izobashi) of Trend Micro's Zero Day Initiative | 7.8 CVSSv3 Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2024-4712 Arbitrary File Creation in PaperCut NG/MF Web Print Image Handler (also known as "ZDI-CAN-23859" by Trend Micro) | This vulnerability could potentially allow the creation of files in specific locations used by the Credit: Nicholas Zubrisky (@NZubrisky) of Trend Micro Research | 7.8 CVSSv3 Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H[1] |
CVE-2024-8405[2] Arbitrary File Creation in PaperCut NG/MF Web Print leading to a Denial of Service attack (also known as “ZDI-CAN-24042” by Trend Micro) | This vulnerability has split from CVE-2024-4712, which has been previously reported and patched. Up-to-date servers do NOT need to take any action as it's already patched. It has been split to allow the researchers (Trend Micro ZDI) to attribute two instances of the same vulnerability type to different reporters. This vulnerability could potentially allow the creation of files in specific locations used by the Credit: Amol Dosanjh of Trend Micro | 6.1 CVSSv3 Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H |
[1] Sep 2024: Scoring amended.
[2] Sep 2024: CVE added.
Acknowledgements
PaperCut would like to thank the researchers working with TrendMicro as part of their ZDI program. Trend Micro and PaperCut have worked together over the last 12 months to ensure that all their research and testing of PaperCut products is responsibly disclosed and collaboratively released.
FAQs
Q Where can I get the upgrade?
The Check for updates link in the PaperCut NG/MF admin interface allows customers to download the latest version of PaperCut NG or MF. You will find this at PaperCut NG/MF Admin interface > About > Version info > Check for updates.
You can also find your PaperCut partner or reseller information on the Help tab (or About tab in older versions) on the PaperCut Web admin interface.
Alternatively, direct downloads are available on the upgrade page . It’s easy to identify your edition of PaperCut - it’s on the About tab and in the footer of your PaperCut Web admin login.
Q How do I upgrade?
Applying these fixes follows the standard upgrade process for PaperCut Application Servers and Site Servers, following the Upgrading PaperCut MF & NG (upgrade steps) documentation.
Q Do I need to apply the update to my Web Print Sandbox servers?
Yes.
If you’re using Web Print with default mode (where your Web Print documents are printed through the Application Server) then you’re covered by the Application Server upgrade above. No further steps are required.
If you’re using Web Print with
Sandbox mode
(where you have other server(s) separate from your Application Server, running the PaperCut Web Print Server service), you’ll need to update those servers by re-running the Web Print installation on those servers. For more detailed instructions, follow the
Step 2: Install Web Print
steps from the “Set up Web Print: Sandbox mode” manual page.
Q Is there anything I should be aware of before applying the upgrade?
No, this is a standard over the top upgrade.
Q Are there any mitigations for these vulnerabilities?
Yes. Organizations not using Web Print can stop the PaperCut Web Print Server service. See
Stopping and Starting PaperCut Services
for more information. Note that you should also disable the service to stop it from automatically starting when the Windows Server is started.
This upgrade is recommended for all PaperCut organizations, however, organizations with PaperCut NG/MF servers that are accessible from the Internet (e.g. open ports), or have untrusted actors within the network (e.g. a large University) are strongly advised to upgrade.
Q I am running an old version. Do I need to upgrade to a prior version before upgrading to 23.0.9?
No. This release includes all previous fixes released, and you can upgrade directly to this release from any previous version of PaperCut NG/MF.
Q I’m running version 21.x or 22.x and due to operational reasons, I can’t upgrade to 23. Are hotfixes available for these older versions?
In this case since these vulnerabilities are not rated as critical, the enhancements are only being included in our 23.0.9 (and later) releases, and are not being applied (back-ported) to older supported versions.
See our supported versions policy for more information.
Q Why did PaperCut retroactively update a CVE that was already published?
When we receive a security issue report, we carefully assess the vulnerability and score it based on the examples provided in First.
After extensive conversations with researchers at the ZDI program, we agreed that in most installations, the default Windows Server configuration would typically restrict local login access to Administrators only. However, this vulnerability could pose a risk to customers who allow non-administrative users to log in to the local console of the Windows environment hosting the PaperCut NG/MF application server either through deliberate actions, misconfiguration or other vulnerabilities allowing users to access the server.
Based on this information, the CVE has been rescored with a “Privileges Required (PR)” rating of low, and “Attack Complexity (AC)” rating of low reflecting the worst-case scenario where an Administrator has granted local login access to standard users on the host server. This rescore is NOT due to new paths of attack and this issue remains fixed as of PaperCut NG/MF 23.0.9.
Q Why did PaperCut retroactively split CVEs that have already been published and patched?
Since the vulnerabilities were similar and one fix impacted multiple reported issues, PaperCut took the approach of merging the reports into a single CVE. After discussions with the researchers at who reported these vulnerabilities, we have acknowledged that while one fix may have fixed multiple reported vulnerabilities the attack paths reported were different and deserved to be acknowledged. This spitting is NOT due to new paths of attack and this issue remains fixed as of PaperCut NG/MF 23.0.9.
Security notifications
“How do I sign-up for PaperCut’s security mailing list?”
In order to get timely notifications of security news (including security related fixes or vulnerability information) please subscribe to our security notifications list via our Security notifications sign-up form . If you’re a sys admin or if you look after PaperCut product implementations at your organization, this list will help you be amongst the first to hear of any security related news or updates.
Updates
Date | Update/action |
14th May, 2024 (AEDT) | Published the initial Security Bulletin. |
16th May, 2024 (AEST) | Sent email notification to the PaperCut security notifications subscriber list. |
16th May, 2024 (AEST) | Updated article to clarify that updating Web Print Sandbox servers is required, if they are in use. Added an FAQ to clarify that back-ports (fixes for older versions) are not being released since these are not critical vulnerabilities. |
26th September, 2024 (AEDT) | Updated scoring of CVE-2024-3037, CVE-2024-4712 and adding CVEs CVE-2024-8404, CVE-2024-8405 as well as two new FAQs. |
26th September, 2024 (AEDT) | Sent email notification to the PaperCut security notifications subscriber list. |
1st October, 2024 (AEST) | Added credit for the CVE to the table. |
Categories: FAQ , Security and Privacy
Last updated October 1, 2024
Comments