Executive Summary

CVE-2023-27350 is a critical vulnerability affecting PaperCut NG and PaperCut MF print management software. This vulnerability allows remote attackers to bypass authentication and execute arbitrary code in the context of SYSTEM. The vulnerability is due to improper access control within the SetupCompleted class. The vulnerability has a CVSS score of 9.8, indicating its critical nature. The Bl00dy ransomware group has been reported to exploit this vulnerability, targeting sectors across various countries. Immediate action is required to apply the necessary patches and monitor for signs of exploitation.

Technical Information

CVE-2023-27350 is a critical security flaw identified in PaperCut NG and PaperCut MF print management software. The vulnerability allows remote attackers to bypass authentication and execute arbitrary code with SYSTEM privileges. This is due to improper access control within the SetupCompleted class. The vulnerability has been assigned a CVSS score of 9.8, reflecting its severity and the potential impact on affected systems.

The vulnerability affects multiple versions of PaperCut NG and PaperCut MF. Specifically, it impacts PaperCut NG versions from 8.0.0 up to (excluding) 20.1.7, from 21.0.0 up to (excluding) 21.2.11, and from 22.0.0 up to (excluding) 22.0.9. Similarly, PaperCut MF versions from 8.0.0 up to (excluding) 20.1.7, from 21.0.0 up to (excluding) 21.2.11, and from 22.0.0 up to (excluding) 22.0.9 are also affected.

The vulnerability is characterized by the following details: - CVE ID: CVE-2023-27350 - Description: This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. - CVSS Score: 9.8 (Critical) - Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The vulnerability has been actively exploited in the wild, with the Bl00dy ransomware group being one of the notable threat actors leveraging this flaw to gain unauthorized access and execute ransomware attacks.

Exploitation in the Wild

The exploitation of CVE-2023-27350 has been observed in various incidents, with the Bl00dy ransomware group being a prominent actor. This group has been reported to exploit the vulnerability to gain unauthorized access to systems and deploy ransomware. The exploitation typically involves bypassing authentication mechanisms and executing arbitrary code with SYSTEM privileges.

Indicators of Compromise (IoCs) associated with the exploitation of CVE-2023-27350 include unusual network traffic to and from PaperCut servers, unexpected changes in PaperCut server configurations, and the presence of unauthorized scripts or executables on PaperCut servers.

For more detailed information on the exploitation of this vulnerability, refer to the following sources: - CISA Advisory: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a - Sophos Report: https://news.sophos.com/en-us/2023/04/27/increased-exploitation-of-papercut-drawing-blood-around-the-internet/ - Trend Micro: https://www.trendmicro.com/en_us/research/23/d/update-now-papercut-vulnerability-cve-2023-27350-under-active-ex.html - Rapid7 Blog: https://www.rapid7.com/blog/post/2023/05/17/etr-cve-2023-27350-ongoing-exploitation-of-papercut-remote-code-execution-vulnerability/

APT Groups using this vulnerability

The Bl00dy ransomware group has been reported to exploit CVE-2023-27350. This group is known for targeting various sectors across different countries, leveraging vulnerabilities to gain unauthorized access and deploy ransomware. Organizations should be aware of the tactics, techniques, and procedures (TTPs) used by this group to better defend against potential attacks.

Affected Product Versions

The following versions of PaperCut NG and PaperCut MF are affected by CVE-2023-27350: - PaperCut NG versions from 8.0.0 up to (excluding) 20.1.7 - PaperCut NG versions from 21.0.0 up to (excluding) 21.2.11 - PaperCut NG versions from 22.0.0 up to (excluding) 22.0.9 - PaperCut MF versions from 8.0.0 up to (excluding) 20.1.7 - PaperCut MF versions from 21.0.0 up to (excluding) 21.2.11 - PaperCut MF versions from 22.0.0 up to (excluding) 22.0.9

Workaround and Mitigation

To mitigate the risk associated with CVE-2023-27350, it is recommended to apply the updates provided by the vendor. PaperCut has released patches to address this vulnerability. Users should ensure that their installations are updated to the latest versions. Additionally, organizations should monitor for indicators of compromise and implement robust security measures to detect and prevent unauthorized access.

For more information on the vendor's advisory and patch details, refer to the PaperCut Knowledge Base: https://www.papercut.com/kb/Main/PO-1216-and-PO-1219

References

• NVD - CVE-2023-27350
• CISA Advisory
• Sophos Report
• Trend Micro
• Rapid7 Blog
• GitHub PoC
• PaperCut Knowledge Base

Rescana is here for you

At Rescana, we understand the critical nature of cybersecurity threats and the importance of staying ahead of potential vulnerabilities. Our Continuous Threat and Exposure Management (CTEM) platform is designed to help organizations identify, assess, and mitigate risks associated with vulnerabilities like CVE-2023-27350. By leveraging our platform, you can ensure that your systems are protected against the latest threats and maintain a robust security posture.

If you have any questions about this report or any other issue, please feel free to reach out to us at ops@rescana.com. We are here to assist you in safeguarding your organization against cybersecurity threats.