PaperCut NG/MF Security Bulletin (August 2023)

Executive Summary / tl;dr

Clarification of GhostScript vulnerabilities in the news, and a potential CSRF issue has been found in Mobility Print (fixed via auto update).

Clarification of GhostScript Security

There has recently been some GhostScript vulnerabilities in the news. If you’re using GhostTrap, then you have significant protection against GhostScript exploits.

Why? Back in 2012 the PaperCut engineering team discovered a number of bugs in GhostScript that could potentially lead to vulnerabilities, and these were reported to the GhostScript team at the time. With our security focused mindset this worried us so we started a new open-source project called GhostTrap . GhostTrap brings best of breed sandboxing technology out of Google Chrome to protect against issues that may exist with the GhostScript code. All of PaperCut’s products and setup documentation for Windows platforms use GhostTrap, and we can confirm that we have reviewed recent exploits and checked that the sandboxing measures of GhostTrap offer the protection as expected.

See our GhostScript Vulnerabilities KB for more information.

In line with best practice we will be updating GhostTrap in the near future however NO urgent action is required. For organisations running Linux and macOS servers, if the inbuilt GhostScript is utilised, we recommend making sure the OS system updates are being applied.

Security Issues Addressed

Address potential CSRF attack in Mobility Print (CVE-2023-2508)

Mobility Print is auto updating and a fix for this has already been deployed to customers who have auto-updates enabled. Customers who have disabled Mobility Print auto-updates are encouraged to review their Mobility Print version.

We want to thank the security researchers at FluidAttacks, in particular Carlos Bello. This issue could allow a malicious actor to craft a link that is sent to an authenticated administrator that could lead to changing Mobility Print settings.

This vulnerability has been rated with a CVSS score of 4.8: (CVSSv3 Vector: AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N )

Note: FluidAttacks are looking to publicly disclose additional information in the upcoming weeks.

Impacted Product Status

• This CVE only impacts PaperCut Mobility Print. No other products are impacted.

FAQs

The Mobility Print Server should auto-update by default. You can confirm that you’re running the fixed version by logging into the Mobility Print administration interface (use a browser to connect to your Mobility Print Server at http://[server]:9163/admin, or if you’re using PaperCut MF/NG, head into the MF/NG admin interface, then navigate to Enable Printing > Mobile & BYOD > Mobility Print).

The version number can be seen in the top right hand corner of the Mobility Print admin interface.

If you have deactivated auto-updates, you can manually update your Mobility Print server by following the instructions in the Manually updating your Mobility Print server section.

Only PaperCut Mobility Print - see the “Impacted Product Status” section above for a detailed list.

No - there is no other impact from upgrading.

Security notifications

“How do I sign-up for paperCut’s security mailing list?”

In order to get timely notifications of security news (including security related fixes or vulnerability information) please subscribe to our security notifications list via our Security notifications sign-up form. If you’re a sys admin or if you look after PaperCut product implementations at your organization, this list will help you be amongst the first to hear of any security related news or updates.

Updates