PaperCut NG/MF Security Bulletin (March 2024)
THE PAGE APPLIES TO:
Executive Summary
This security bulletin is a follow up to the pre-notification published on 8 March 2024. It provides an overview of the latest security focused release of PaperCut NG/MF (23.0.7) that fixes several vulnerabilities. The issues addressed in this release are part of our ongoing security uplift program which involves internal reviews, penetration testing with external parties, and leveraging the strong relationships we’ve built with researchers in the security industry.
We recommend all organizations plan an upgrade to this release, however, organizations with PaperCut NG/MF servers that are accessible from the Internet (e.g. open ports), or have untrusted actors within the network (e.g. a large University) are strongly advised to prioritize this upgrade.
How to fix these vulnerabilities - summary
Perform a standard over-the-top update . This is the simplest way to do it:
- Log in to the PaperCut NG/MF admin interface and click the About tab.
- Click the Check for updates button.
- Download the latest update.
- Install over-the-top of your existing install.
- Done - the version under About > Version info should now show the latest version.
Note: For more detailed information, see: How to fix these vulnerabilities (Detailed) .
Security issues addressed
| CVE | Notes | CVSS rating and vector |
| CVE-2024-1222 Improper access controls on APIs in PaperCut NG/MF (also known as “ZDI-CAN-22812” by Trend Micro) | This vulnerability could potentially allow privilege escalation on PaperCut NG/MF servers. This vulnerability uses a maliciously formed API request against a misconfigured API endpoint. This only applies to a small subset of PaperCut NG/MF API endpoints. Note: PaperCut has already pushed a mitigation through auto-update of sub-components (if auto-update is enabled). | 8.6 CVSSv3 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L |
| CVE-2024-1654 Unauthorized Write operations in PaperCut NG/MF (also known as “ZDI-CAN-22328” by Trend Micro) | This vulnerability potentially allows an attacker who already has authenticated access to the admin console to carry out unauthorized write operations which may lead to remote code execution. Information only available to admin users is required to exploit this vulnerability. | 7.2 CVSSv3 Vector: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| CVE-2024-1882 Server Side Resource Injection in PaperCut NG/MF (also known as “ZDI-CAN-23481” by Trend Micro) | This vulnerability only applies to organizations who have installed the Job Ticketing module (not installed by default) This vulnerability allows an attacker who already has authenticated access to the admin console to execute code on the PaperCut Application Server in the context of SYSTEM (Windows) or the papercut user (macOS/Linux). Note: PaperCut has already pushed a mitigation through auto-update of sub-components (if auto-update is enabled). | 7.2 CVSSv3 Vector: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| CVE-2024-1884 Server-Side Request Forgery in PaperCut NG/MF (also known as “ZDI-CAN-23116” by Trend Micro) | This vulnerability could potentially allow an attacker to make an HTTP request look like it came from a PaperCut NG/MF application server. This is known as Server Side Request Forgery (SSRF) and could be used to mask an attacker’s identity. Note: PaperCut has already pushed a mitigation through auto-update of sub-components (if auto-update is enabled). | 6.5 CVSSv3 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
| CVE-2024-1883 Reflected XSS in PaperCut NG/MF (also known as “ZDI-CAN-23254” by Trend Micro) | This is a reflected cross site scripting vulnerability in the PaperCut NG/MF application server. An attacker can exploit this weakness by crafting a malicious URL that contains a script. When an unsuspecting user clicks on this malicious link, it could potentially lead to limited loss of confidentiality, integrity or availability (e.g. scraping of information on the PaperCut NG/MF admin interface dashboard tab). | 6.3 CVSSv3 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L |
| CVE-2024-1223 Incorrect authorization controls in PaperCut NG/MF (also known as “ZDI-CAN-22165” by Trend Micro) | This vulnerability could be used to enumerate some information from the embedded device APIs. Some amount of reconnaissance and knowledge of the environment and tokens is required. PaperCut NG/MF application server can be configured to further mitigate this issue by limiting device IP addresses. See Restrict access to the Application Server by MFDs | 4.8 CVSSv3 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
| CVE-2024-1221 Improper access controls on APIs on Linux and macOS in PaperCut NG/MF (also known as “ZDI-CAN-23074” by Trend Micro) | This vulnerability does not apply to Windows PaperCut NG/MF application servers. This vulnerability potentially allows files on a Linux/macOS PaperCut NG/MF server to be exposed using a specifically formed payload against an API endpoint. Note: PaperCut has already pushed a mitigation through auto-update of sub-components (if auto-update is enabled). | 3.1 CVSSv3 Vector: AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
| Other (Pre-emptive security improvements) | This release also includes a number of pre-emptive security improvements and additions to layers of defense. These improvements were made as a result of code audits, pen tests and security reviews. Changes were made in line with our security uplift initiative. | N/A |
Acknowledgements
PaperCut would like to thank the researchers working with TrendMicro as part of their ZDI program. Trend Micro and PaperCut have worked together over the last 12 months to ensure that all their research and testing of PaperCut products is responsibly disclosed and collaboratively released.
How to fix these vulnerabilities - detailed
These steps reflect the simplest way to fix all the vulnerabilities listed in this bulletin:
- Upgrade to one of the fixed versions of PaperCut NG/MF listed in this article (23.0.7 or later, 22.1.5, 21.2.14, 20.1.10).
- You will need to apply this upgrade to Application Servers and Site Servers.See Upgrading PaperCut MF & NG (upgrade steps) for more information.
- If you are using Job Ticketing then ensure that Job Ticketing has automatically updated to version 1.0.3123 (or later). See How to check version numbers for more information.
- If you are using the Universal Print Connector on Secondary Servers then ensure that those Universal Print connectors have automatically updated to version 2024-02-28-2055 (or later). See How to check version numbers for more information.
FAQs
Q Where can I get the upgrade?
The Check for updates link in the PaperCut NG/MF admin interface allows customers to download the latest version of PaperCut NG or MF. You will find this at PaperCut NG/MF Admin interface > About > Version info > Check for updates.
You can also find your PaperCut partner or reseller information on the Help tab (or About tab in older versions) on the PaperCut Web admin interface.
Alternatively, direct downloads are available on the upgrade page . It’s easy to identify your edition of PaperCut - it’s on the About tab and in the footer of your PaperCut Web admin login.
Q How do I upgrade?
Applying these fixes follows the standard upgrade process for PaperCut Application Servers and Site Servers, following the Upgrading PaperCut MF & NG (upgrade steps) documentation.
For a full checklist, see How to fix these vulnerabilities (detailed) above.
Q Is there anything I should be aware of before applying the upgrade?
No, this is a standard over the top upgrade.
Q Are there any mitigations for these vulnerabilities?
No, there are no recommended mitigations and we recommend upgrading to the latest versions of PaperCut NG/MF.
This upgrade is recommended for all PaperCut organizations, however, organizations with PaperCut NG/MF servers that are accessible from the Internet (e.g. open ports), or have untrusted actors within the network (e.g. a large University) are strongly advised to upgrade.
Q I am running an old version. Do I need to upgrade to a prior version before upgrading to 23.0.7?
No. This release includes all previous fixes released, and you can upgrade directly to this release from any previous version of PaperCut NG/MF.
Q I’m running version 20.x or 21.x or 22.x and due to operational reasons, I can’t upgrade to 23. Are hotfixes available for these older versions?
Yes, we are supplying upgrades for all supported versions of NG/MF.
- 23.0.7
- 22.1.5
- 21.2.14
- 20.1.10
Direct downloads for these older supported versions are available on the upgrade page .
We strongly recommend all organizations upgrade to the latest version.
Q Can I get more information about these vulnerabilities?
To protect organizations against potential n-day attacks, PaperCut did not share specific details publicly until the maintenance releases containing all required fixes became available on 14 March 2024. This is the full extent of information regarding these vulnerabilities that PaperCut is disclosing.
A common way n-day attacks occur is when bad actors glean information from public sources. By disclosing no information, we are trying to give organizations the maximum lead time on bad actors trying to carry out an n-day attack.
It should also be noted there are no known active exploits. The pre-notifications on 8 March 2024 were merely a measure to inform organizations so they could plan their out-of-schedule updates.
Security notifications
“How do I sign-up for PaperCut’s security mailing list?”
In order to get timely notifications of security news (including security related fixes or vulnerability information) please subscribe to our security notifications list via our Security notifications sign-up form . If you’re a sys admin or if you look after PaperCut product implementations at your organization, this list will help you be amongst the first to hear of any security related news or updates.
Updates
| Date | Update/action |
| 8th March, 2024 (AEDT) | Sent pre-notification via email to subscribers to our Security notifications list, linking to the previous version of this bulletin. |
| 8th March, 2024 (AEDT) | Enabled the PaperCut NG/MF in-product notification (versions 23.0.3 and later) and the dashboard tile notification (for earlier supported versions), linking to this bulletin for further information. |
| 8th March, 2024 (AEDT) | Published the initial Security Bulletin. |
| 14th March, 2024 (AEDT) | Updated this Security Bulletin with further information: - Links to updated versions - CVE details - Fix information - Additional FAQs |
| 14th March, 2024 (AEDT) | Publicly released maintenance releases of PaperCut MF and NG: - 23.0.7 - 22.1.5 - 21.2.14 - 20.1.10 |
| 14th March, 2024 (AEDT) | Notified subscribers of our Security notifications list by email of updates to this Security Bulletin |
Categories: FAQ , Security and Privacy
Last updated March 14, 2024
Comments