Details of CVE-2023-39143, two vulnerabilities in PaperCut application servers that an unauthenticated attacker could exploit to execute code remotely, have been reported and published by Horizon3.ai researchers at the beginning of the month.
Approximately a week after the Publication of the Security bulletin, On 7th Aug 2023 PaperCut updated the chained path traversal in Authenticated API vulnerability (CVE-2023-39143) to clarify this impacts PaperCut MF/NG on Windows OS installations only. Later, on Aug 10th the chained path traversal in Authenticated API vulnerability (CVE-2023-39143) was updated to link to the Horizon.ai public disclosure.
What is CVE-2023-39143?
CVE-2023-39143 refers to path traversal vulnerabilities found in PaperCut NG and PaperCut MF versions released prior to v22.1.3. PaperCut NG and MF are popular server software solutions for print management. These vulnerabilities can be exploited to read, delete, or upload arbitrary files to a susceptible application server under certain circumstances.
The vulnerabilities are present in PaperCut servers operating on Windows. When the external device integration setting is activated, it can lead to remote code execution. This setting is automatically enabled in specific PaperCut installations, such as the PaperCut NG Commercial version or PaperCut MF, as mentioned by the researchers.
Does CVE-2023-39143 affect me?
CVE-2023-39143 affects versions released before v22.1.3.
To determine whether you should update your systems to safeguard against CVE-2023-39143, administrators of PaperCut servers can simply follow the instructions provided by Horizon3.ai researchers. To know if your PaperCut servers require an update to defend against they recommended that users update to the newest version, v22.1.3, to guarantee protection.
Also, use the command below to verify if a PaperCut server is unpatched and operating on Windows:
curl -w “%{http_code}” -k –path-as-is “https://<IP>:<port>/custom-report-example/..\..\..\deployment\sharp\icons\home-app.png”
Receiving a 200 response suggests the server is unpatched and active on Windows. Meanwhile, a 404 response indicates that the server is either patched or not based on Windows.
Has CVE-2023-39143 been actively exploited in the wild?
Though researchers from Horizon3.ai have disclosed certain aspects of the vulnerability, to provide users ample time to update and secure their systems they have refrained from releasing the proof-of-concept (PoC) code for now, nor were current indications of wild exploit were spotted.
How to fix CVE-2023-39143
The vulnerability was fixed in late July with the release of PaperCut NG and MF 22.1.3.
However, even if you regularly update your PaperCut servers, another good idea could be to set up an allowlist and populate it with device IP addresses that are permitted to communicate with the server, since direct server IP access is required to exploit CVE-2023-39143.
Next steps
Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:
