{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/ng/mf/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2023-27351"}],"_cs_exploited":true,"_cs_products":["NG/MF"],"_cs_severities":["critical"],"_cs_tags":["papercut","authentication-bypass","ransomware","cve-2023-27351"],"_cs_type":"threat","_cs_vendors":["PaperCut"],"content_html":"\u003cp\u003eCVE-2023-27351 is a critical improper authentication vulnerability affecting PaperCut NG/MF. The vulnerability exists within the SecurityRequestFilter class, enabling remote attackers to bypass authentication mechanisms. This bypass can lead to unauthorized access to sensitive functionalities within the PaperCut NG/MF application. Publicly available reports indicate that this vulnerability is being actively exploited, including instances of ransomware deployment following successful exploitation. Due to the ease of exploitation and the potentially severe consequences, organizations using affected versions of PaperCut NG/MF are urged to apply mitigations immediately.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable PaperCut NG/MF instance accessible over the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the SecurityRequestFilter class.\u003c/li\u003e\n\u003cli\u003eThe crafted request exploits the improper authentication vulnerability (CVE-2023-27351), bypassing normal authentication checks.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication bypass, the attacker gains unauthorized access to the PaperCut NG/MF application with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the gained access to upload malicious scripts or binaries to the PaperCut server.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the uploaded payload, initiating the ransomware encryption process or other malicious activities.\u003c/li\u003e\n\u003cli\u003eRansomware encrypts sensitive data on the PaperCut server and potentially spreads to other connected systems.\u003c/li\u003e\n\u003cli\u003eThe attacker demands a ransom payment for the decryption key.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2023-27351 allows attackers to bypass authentication, gain unauthorized access, and potentially deploy ransomware. This can result in significant data loss, disruption of print services, and financial losses due to ransom demands and recovery efforts. The vulnerability is known to be actively exploited, increasing the risk to organizations using affected PaperCut NG/MF installations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply mitigations provided by PaperCut, referencing their knowledge base articles PO-1216 and PO-1219.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect potential exploitation attempts against the SecurityRequestFilter class.\u003c/li\u003e\n\u003cli\u003eFollow applicable BOD 22-01 guidance for cloud services if the PaperCut instance is cloud-hosted.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-papercut-auth-bypass/","summary":"CVE-2023-27351 is an improper authentication vulnerability in PaperCut NG/MF that allows remote attackers to bypass authentication via the SecurityRequestFilter class, leading to potential ransomware deployment.","title":"PaperCut NG/MF Improper Authentication Vulnerability (CVE-2023-27351)","url":"https://feed.craftedsignal.io/briefs/2024-01-03-papercut-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — NG/MF","version":"https://jsonfeed.org/version/1.1"}