Choose your language

Choose your login

Support

PaperCut NG/MF Security Bulletin (May 2024)

THE PAGE APPLIES TO:

Executive Summary

This security bulletin covers the improvements in the newly released versions of PaperCut NG/MF (version 23.0.9 and later). This includes third party dependency updates as part of our ongoing security initiatives. This release also includes fixes for the CVEs addressed in this bulletin.

While PaperCut has assessed these issues as posing a low security risk in practice, we recommend organizations with PaperCut NG/MF servers allowing console or local login access for non-admin users should prioritize this upgrade.

How to upgrade

Perform a standard over-the-top update . This is the simplest way to do it:

  1. Log in to the PaperCut NG/MF admin interface and click the About tab.
  2. Click the Check for updates button.
  3. Download the latest update.
  4. Install over-the-top of your existing install.
  5. Done - the version under About > Version info should now show the latest version.

Security issues addressed

Issue

Notes

CVSS rating and vector

Security improvements

Improvements in Web SSO

N. A.

CVE-2024-3037

Arbitrary file deletion in PaperCut NG/MF Web Print

(also known as “ZDI-CAN-20972” and “ZDI-CAN-23757” by Trend Micro)

This vulnerability could potentially allow deletion of files from specific locations used by the Web Print service. This vulnerability only applies to PaperCut NG/MF Windows servers with the PaperCut Web Print Server service enabled.

6.0

CVSSv3 Vector: AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CVE-2024-4712

Arbitrary file creation in PaperCut NG/MF Web Print

(also known as “ZDI-CAN-2385” and “ZDI-CAN-24042” by Trend Micro)

This vulnerability could potentially allow creation of files in specific locations used by the Web Print service. This vulnerability only applies to PaperCut NG/MF Windows servers with the PaperCut Web Print Server service enabled.

6.0

CVSSv3 Vector: AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Acknowledgements

PaperCut would like to thank the researchers working with TrendMicro as part of their ZDI program. Trend Micro and PaperCut have worked together over the last 12 months to ensure that all their research and testing of PaperCut products is responsibly disclosed and collaboratively released.

FAQs

Q Where can I get the upgrade?

The Check for updates link in the PaperCut NG/MF admin interface allows customers to download the latest version of PaperCut NG or MF. You will find this at PaperCut NG/MF Admin interface > About > Version info > Check for updates.

You can also find your PaperCut partner or reseller information on the Help tab (or About tab in older versions) on the PaperCut Web admin interface.

Alternatively, direct downloads are available on the upgrade page . It’s easy to identify your edition of PaperCut - it’s on the About tab and in the footer of your PaperCut Web admin login.

Q How do I upgrade?

Applying these fixes follows the standard upgrade process for PaperCut Application Servers and Site Servers, following the Upgrading PaperCut MF & NG (upgrade steps) documentation.

Q Do I need to apply the update to my Web Print Sandbox servers?

Yes.

If you’re using Web Print with default mode (where your Web Print documents are printed through the Application Server) then you’re covered by the Application Server upgrade above. No further steps are required.

If you’re using Web Print with Sandbox mode (where you have other server(s) separate from your Application Server, running the PaperCut Web Print Server service), you’ll need to update those servers by re-running the Web Print installation on those servers. For more detailed instructions, follow the Step 2: Install Web Print steps from the “Set up Web Print: Sandbox mode” manual page.

Q Is there anything I should be aware of before applying the upgrade?

No, this is a standard over the top upgrade.

Q Are there any mitigations for these vulnerabilities?

Yes. Organizations not using Web Print can stop the PaperCut Web Print Server service. See Stopping and Starting PaperCut Services for more information. Note that you should also disable the service to stop it from automatically starting when the Windows Server is started.

This upgrade is recommended for all PaperCut organizations, however, organizations with PaperCut NG/MF servers that are accessible from the Internet (e.g. open ports), or have untrusted actors within the network (e.g. a large University) are strongly advised to upgrade.

Q I am running an old version. Do I need to upgrade to a prior version before upgrading to 23.0.9?

No. This release includes all previous fixes released, and you can upgrade directly to this release from any previous version of PaperCut NG/MF.

Q I’m running version 21.x or 22.x and due to operational reasons, I can’t upgrade to 23. Are hotfixes available for these older versions?

In this case since these vulnerabilities are not rated as critical, the enhancements are only being included in our 23.0.9 (and later) releases, and are not being applied (back-ported) to older supported versions.

See our supported versions policy for more information.

Security notifications

“How do I sign-up for PaperCut’s security mailing list?”

In order to get timely notifications of security news (including security related fixes or vulnerability information) please subscribe to our security notifications list via our Security notifications sign-up form . If you’re a sys admin or if you look after PaperCut product implementations at your organization, this list will help you be amongst the first to hear of any security related news or updates.

Updates

Date

Update/action

14th May, 2024 (AEDT)

Published the initial Security Bulletin.

16th May, 2024 (AEST)

Sent email notification to the PaperCut security notifications subscriber list.

16th May, 2024 (AEST)

Updated article to clarify that updating Web Print Sandbox servers is required, if they are in use.

Added an FAQ to clarify that back-ports (fixes for older versions) are not being released since these are not critical vulnerabilities.




Categories: FAQ , Security and Privacy


Comments

Last updated June 13, 2024