Cybersecurity researchers have discovered a new high-severity security flaw in Papercut print management software for Windows that could result in remote code execution under specific circumstances.
Tracked as CVE-2023-39143 (CVSS score: 8.4), the flaw affects Papercut NG/MF prior to version 22.1.3. It has been described as a combination of a path traversal and file upload vulnerability.
Naveen Sunkavally of Horizon3.ai said, “CVE-2023-39143 enables unauthenticated attackers to potentially read, delete, and upload arbitrary files to Papercut MF/NG application servers, resulting in remote code execution in some configurations.”
The cyber security firm said file upload for remote code execution is possible when the External device integration setting is enabled, which is on by default in some installations of Papercut.
Earlier this April, another remote code execution vulnerability in the same product (CVE-2023–27350, CVSS score: 9.8) and an information disclosure flaw (CVE-2023–27351) came under widespread exploitation in the wild to deliver Cobalt Strike and ransomware. Iranian nation-state actors were also spotted abusing the bugs to obtain initial access to target networks.
“Compared to CVE-2023-27350, CVE-2023-39143 also requires no prior privileges for attackers to exploit, and requires no user interaction,” Sunkavally said. “Exploiting CVE-2023-39143 is more complex, involving multiple issues that must be combined together to compromise a server. This is not a ‘one-shot’ RCE vulnerability.”
Corrected by Papercut in version 22.1.3 is a security flaw that could allow an unauthenticated attacker with direct server IP access to upload arbitrary files to a target directory, causing a potential denial of service (CVE- 2023-3486, CVSS) Score: 7.4). Tenable is credited with discovering and reporting the issue.