PaperCut NG/MF Security Bulletin (July 2023)
Executive Summary / tl;dr
Following on from our previous 22.1.1 security hardening release, PaperCut NG and PaperCut MF 22.1.3 contains patches to address vulnerabilities identified through our security uplift program, which includes internal pen testing, code audits as well as engagement with industry leading partners in the infosec community. We recommend all customers plan an upgrade to this release.
PaperCut would like to thank the infosec community who have assisted with our continued security uplift for PaperCut NG/MF over the last few months. In particular we would like to thank Naveen Sunkavally and the team at Horizon 3, researchers at Trend Micro and researchers from Tenable, Inc.
Security Issues Addressed
Potential Denial of Service Issue (CVE-2023-3486)
We want to thank the security researchers at Tenable who reported a means that could allow an unauthenticated attacker with direct server IP access to upload arbitrary files into a target directory. This could be used to fill up the server’s hard disk and prevent the PaperCut server from operating as expected. This issue is also known as “TRA-2023-23” by Tenable.
This vulnerability has been rated with a CVSS score of 7.4: (CVSSv3 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H/E:P/RL:O/RC:C )
Note: Tenable are looking to publicly disclose additional information in the upcoming weeks.
Update: Tenable released their public disclosure on 28th August 2023, titled PaperCut NG Unauthenticated File Upload .
Chained Path Traversal in Authenticated API (CVE-2023-39143)
The security research team at Horizon3.ai carried out complex security research to identify two path traversal vulnerabilities which could be potentially leveraged to read and write arbitrary files. Direct server IP access is required. The Horizon3.ai team has worked with PaperCut to mitigate and validate our fixes.
The PaperCut development team would like to thank Naveen and the research team at Horizon3.ai. We would like to acknowledge their sophisticated research methods as finding and demonstrating the issue required chaining multiple complex steps together. It is probably some of the most in-depth research that has ever been applied to PaperCut.
This vulnerability has been rated with a CVSS score of 8.4: (CVSSv3 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H/E:P/RL:O/RC:C )
Note: Horizon3.ai are looking to publicly disclose additional information in the upcoming weeks.
Update: Horizon3.ai released their disclosure on 5th August 2023: CVE-2023-39143: PaperCut Path Traversal/File Upload RCE Vulnerability
Third Party Library Update (ZDI-CAN-21013)
A vulnerability was found in a third party dependency used to support the PostgreSQL database (CVE-2022-21724). Someone who already has administrator access to a PaperCut server could use this exploit to gain further privileges. Thanks to the team at TrendMicro that demonstrated that PaperCut could be potentially susceptible to this third party dependency issue.
Note: TrendMicro are looking to publicly disclose additional information in the upcoming weeks.
Miscellaneous security improvements
A number of pre-emptive security improvements were made as a result of code audits, pen tests and security reviews. Changes were made in line with our security uplift initiative.
Impacted Product Status
- All the issues described above impact the Application Server in PaperCut MF and NG.
- PaperCut NG/MF site servers, PaperCut NG/MF secondary servers (Print Providers), PaperCut NG/MF Direct Print Monitors (Print Providers), PaperCut MF MFD Embedded Software, PaperCut Hive, PaperCut Pocket, Print Deploy, Mobility Print, PaperCut User Client software, PaperCut Multiverse and Print Logger are not impacted.
Potential Denial of Service Issue
Fix IDs: PO-1474
Chained Path Traversal in Authenticated API
Fix IDs: PO-1447, CDSS-2495
Third Party Library Update - CVE-2022-21724
Fix IDs: PO-1441
|What versions are VULNERABLE?||All PaperCut NG and MF versions prior to 22.1.3 on all OS platforms (excluding fixed versions named below).||All PaperCut NG and MF versions prior to 22.1.3 on Windows platforms only (excluding fixed versions named below).||All PaperCut NG and MF versions prior to 22.1.3 on all OS platforms (excluding fixed versions named below).|
|What versions are FIXED?|
|Which PaperCut MF or NG components are impacted?||Application Servers are impacted||Application Servers are impacted||Application Servers are impacted|
|Which PaperCut components or products are NOT impacted?|
Q Where can I get the upgrade?
The Check for updates link in the PaperCut NG/MF admin interface allows customers to download the latest version of PaperCut NG or MF. You will find this at PaperCut NG/MF Admin interface > About > Version info > Check for updates.
You can also find your PaperCut partner or reseller information on the Help tab (or About tab in older versions) on the PaperCut Web admin interface.
Alternatively, direct downloads are available on the upgrade page. It’s easy to identify your edition of PaperCut - it’s on the About tab and in the footer of your PaperCut Web admin login.
Q What products are impacted by these vulnerabilities?
See the “Impacted Product Status” section above for a detailed list.
Q Is there anything I should be aware of before applying the upgrade?
Yes, potentially. If you are upgrading from a version prior to 22.1.1 you should read the upgrade checklist for 22.1.1.
Otherwise if you’re using KM production series devices with Integrated Scanning, ensure you review Known Issue CDSS-2840. This will hopefully be resolved in PaperCut MF version 23.0.0.
Q I am running an old version. Do I need to upgrade to a prior version before upgrading to 22.1.3?
No. This release includes all previous fixes released, and you can upgrade directly to this release from any previous version of PaperCut NG/MF.
Q I’m running version 20.x or 21.x and due to operational reasons, I can’t upgrade to 22. Are hotfixes available for these older versions?
Please note that this answer has been updated as of 12th September 2023.
Updates are now available for older supported builds. These updates contain fixes for the key security vulnerabilities listed above:
|What's included?||Everything in 22.1.3 (see release notes above).||Everything in 21.2.12 (see release notes above) plus:||Everything in 21.2.12 (see release notes above) plus:|
|Are there any known issues with this release?||If you're using KM production series devices with Integrated Scanning, ensure you review Known Issue CDSS-2840. This will hopefully be resolved in PaperCut MF version 23.0.0.||If you're using KM production series devices with Integrated Scanning, ensure you review Known Issue CDSS-2840. This will hopefully be resolved in PaperCut MF version 23.0.0.||If you're using KM production series devices with Integrated Scanning, ensure you review Known Issue CDSS-2840. This will hopefully be resolved in PaperCut MF version 23.0.0.|
|Where can I get the download?||Direct downloads for the latest version (22.1.4 at the time of writing) are available on the Upgrade PaperCut latest installation files page.||Available through your PaperCut partner by request, or through PaperCut by request. Please raise a support request with us and mention which product (PaperCut MF or NG) and version you're wanting.||Available through your PaperCut partner by request, or through PaperCut by request. Please raise a support request with us and mention which product (PaperCut MF or NG) and version you're wanting.|
It’s worth noting that the security hardening improvements released in 22.1.1, are only available for version 22 onwards. We recommend upgrading your PaperCut environment to version 22.1.3 or later wherever possible.
“How do I sign-up for paperCut’s security mailing list?”
In order to get timely notifications of security news (including security related fixes or vulnerability information) please subscribe to our security notifications list via our Security notifications sign-up form. If you’re a sys admin or if you look after PaperCut product implementations at your organization, this list will help you be amongst the first to hear of any security related news or updates.
|25th July 2023 (AEST)||Publicly released PaperCut NG/MF version 22.1.3 (contains security improvements and vulnerability fixes identified above).|
|25th July 2023 (AEST)||Published this Security bulletin.|
|26th July 2023 (AEST)||Sent email notification to the PaperCut security notifications subscriber list.|
|31st July 2023 (AEST)||Updated the Chained Path Traversal in Authenticated API vulnerability information to include the CVE ID: CVE-2023-39143|
|7th Aug 2023 (AEST)||Updated the Chained Path Traversal in Authenticated API vulnerability (CVE-2023-39143) to clarify this impacts PaperCut MF/NG on Windows OS installations only.|
|10th Aug 2023 (AEST)||Updated the Chained Path Traversal in Authenticated API vulnerability (CVE-2023-39143) to link to the Horizon.ai public disclosure.|
|29th Aug 2023 (AEST)||Updated the Potential Denial of Service Issue (CVE-2023-3486) to link to the Tenable public disclosure.|
|12th Sept 2023 (AEST)||Updated the 20.x and 21.x build availability question, now that 21.2.13 and 20.1.9 are available on request.|
Last updated November 24, 2023