PaperCut Security Flaw Enables Ransomware Attack
The newly discovered vulnerability has a fix, but customers must take action
Sign up for The Key Point of View, our weekly newsletter of blogs and podcasts!
Versions of PaperCut Software’s popular PaperCut MF and PaperCut NG output management platforms have two newly discovered security vulnerabilities that have allowed a ransomware gang to target education customers. Users are urged to visit the PaperCut security bulletin landing page for details and the recommended course of action. According to the company, PaperCut MF and PaperCut NG (versions 8.0 and later) server-based products are impacted, but not the cloud-based PaperCut Hive.
News about security flaws related to printers and companion software crops up regularly. The difference here is that the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have seen active attacks (several successful) over the past few weeks that exploit the software’s flaws as a growing cadre of ransomware gangs get in on the action. SecurityWeek reports that attacks have come from a Cl0p ransomware operator affiliated with the FIN11 and TA505 threat actors, as well as from Iranian state-sponsored threat actors. The prime targets of the attacks appear to be education facilities, which makes sense given the widespread use of PaperCut MF and NG among universities and K-12 school districts.
The more serious of the two security flaws is rated as critical risk—with a Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10—and allows remote, unauthenticated attackers to bypass authentication and execute arbitrary code with system privileges. “We have confirmed that, under certain circumstances, this allows for an unauthenticated attacker to get remote code execution (RCE) on a PaperCut Application Server. This could be done remotely and without the need to log in,” PaperCut’s advisory reads.
The second vulnerability, rated as high risk (CVSS score of 8.2), could allow an attacker to potentially pull information about a user stored within PaperCut MF or NG. This information could include usernames, full names, email addresses, office/department info, and any card numbers associated with the user. The attacker can also retrieve the hashed passwords for internal PaperCut-created users (not those synced from Active Directory and sources). Again, this could be done remotely and without the need to log in. “We do not have any evidence of this vulnerability being used against customers at this point,” the company noted.
The good news is that, while the vulnerable code dates back to the very first version of PaperCut released in 2008, the flaw was only discovered in March of this year and PaperCut issued a patch in April. According to the company, both vulnerabilities have been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, 22.0.9, and later. PaperCut and its reseller partners are working to identify customers who are still running unpatched versions of the platform, and a security response team at PaperCut has been working with external security advisors to compile a list of unpatched PaperCut MF/NG servers that have ports open on the public internet.
Naturally, the company is urging all customers to upgrade their systems to the patched versions as soon as possible. In the meantime, customers’ IT departments can look for some telltale signs (known as “indicators of compromise” or IOCs in cybersecurity-speak) to determine if their PaperCut instance has indeed been compromised. Those details are posted under “How do I know if my server has been exploited?” in the FAQ section of the security bulletin’s landing page.