PaperCut — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/vendors/papercut/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000PaperCut NG/MF Improper Authentication Vulnerability (CVE-2023-27351)https://feed.craftedsignal.io/briefs/2024-01-03-papercut-auth-bypass/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-papercut-auth-bypass/CVE-2023-27351 is an improper authentication vulnerability in PaperCut NG/MF that allows remote attackers to bypass authentication via the SecurityRequestFilter class, leading to potential ransomware deployment.CVE-2023-27351 is a critical improper authentication vulnerability affecting PaperCut NG/MF. The vulnerability exists within the SecurityRequestFilter class, enabling remote attackers to bypass authentication mechanisms. This bypass can lead to unauthorized access to sensitive functionalities within the PaperCut NG/MF application. Publicly available reports indicate that this vulnerability is being actively exploited, including instances of ransomware deployment following successful exploitation. Due to the ease of exploitation and the potentially severe consequences, organizations using affected versions of PaperCut NG/MF are urged to apply mitigations immediately.

Attack Chain

  1. Attacker identifies a vulnerable PaperCut NG/MF instance accessible over the network.
  2. The attacker crafts a malicious HTTP request targeting the SecurityRequestFilter class.
  3. The crafted request exploits the improper authentication vulnerability (CVE-2023-27351), bypassing normal authentication checks.
  4. Upon successful authentication bypass, the attacker gains unauthorized access to the PaperCut NG/MF application with elevated privileges.
  5. The attacker leverages the gained access to upload malicious scripts or binaries to the PaperCut server.
  6. The attacker executes the uploaded payload, initiating the ransomware encryption process or other malicious activities.
  7. Ransomware encrypts sensitive data on the PaperCut server and potentially spreads to other connected systems.
  8. The attacker demands a ransom payment for the decryption key.

Impact

Successful exploitation of CVE-2023-27351 allows attackers to bypass authentication, gain unauthorized access, and potentially deploy ransomware. This can result in significant data loss, disruption of print services, and financial losses due to ransom demands and recovery efforts. The vulnerability is known to be actively exploited, increasing the risk to organizations using affected PaperCut NG/MF installations.

Recommendation

  • Apply mitigations provided by PaperCut, referencing their knowledge base articles PO-1216 and PO-1219.
  • Deploy the Sigma rules provided below to detect potential exploitation attempts against the SecurityRequestFilter class.
  • Follow applicable BOD 22-01 guidance for cloud services if the PaperCut instance is cloud-hosted.
]]>criticalthreatpapercutauthentication-bypassransomwarecve-2023-27351