Assuming the numbers are representative of PaperCut’s larger install base, the Huntress data suggests that thousands of servers remain under threat of being exploited. Of the three macOS machines it monitored, only one was patched. Of those, roughly 900 remained unpatched. On Friday, Huntress reported there were roughly 1,000 Windows machines with PaperCut installed in the customer environments it protects. Similar to the PoC exploit described by Huntress, it uses the authentication bypass vulnerability to tamper with the built-in scripting functionality and execute code. On Monday, researchers with security firm Horizon3 published their analysis of the vulnerabilities, along with proof-of-concept exploit code for the more severe one. “As intended, the scripts contain only functions which serve as hooks for future execution, however the global scope is executed immediately upon saving, and therefore a simple edit of a printer script can be leveraged to achieve Remote Code Execution,” Huntress explained. By disabling security sandboxing, the malicious script can gain direct access to the Java runtime and, from there, execute code on the main server. The exploit works by adding malicious entries to one of the template printer scripts that are present by default. PaperCut CVE-2023-27350 proof-of-concept exploitation. Previously Clop used Truebot in in-the-wild attacks that exploited a critical vulnerability in software known as GoAnywhere. Truebot is linked to a threat group known as Silence, which has ties with the ransomware group known as Clop. Evidence then showed that the threat actor used the remote management software to install malware known as Truebot. Two days after PaperCut revealed the attacks, security firm Huntress reported that it found threat actors exploiting CVE-2023-27350 to install two pieces of remote management software-one known as Atera and the other Syncro-on unpatched servers. A related vulnerability, tracked as CVE-2023–27351 with a severity rating of 8.2, allows unauthenticated attackers to extract usernames, full names, email addresses, and other potentially sensitive data from unpatched servers. It allows an unauthenticated attacker to remotely execute malicious code without needing to log in or provide a password. The vulnerability, tracked as CVE-2023–27350, carries a severity rating of 9.8 out of a possible 10. Last Wednesday, PaperCut warned that a critical vulnerability it patched in the software in March was under active attack against machines that had yet to install the March update. A remote, unauthenticated check for PaperCut MF is available in the May 17 content-only release.World map showing locations of PaperCut installations. The following product coverage is available to Rapid7 customers:Īn authenticated check for CVE-2023-27350 on Windows and MacOS systems is available to Nexpose and InsightVM customers as of April 28, 2023. Note that updating to a fixed version of PaperCut resolves both CVE-2023-27350 and CVE-2023-27351. PaperCut has an FAQ available for customers at the end of their advisory. Affected ProductsĪccording to the vendor’s advisory, CVE-2023-27350 affects PaperCut MF or NG 8.0 and later across all platforms. However, the company claims to have more than 100 million users, which is a strong motivator for a wide range of threat actors. Internet-exposed attack surface area for CVE-2023-27350 appears to be modest, with under 2,000 vulnerable instances of PaperCut identified as of April 2023. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released a joint alert on warning that CVE-2023-27350 had been exploited since at least mid-April and was being used in ongoing Bl00dy ransomware attacks targeting “the Education Facilities Subsector.” Their alert includes indicators of compromise (IOCs) and reinforces the need for immediate patching. Several other security firms and news outlets have already published articles on threat actors’ use of CVE-2023-27350, including Microsoft’s threat intelligence team, who is tracking exploitation by multiple Iranian state-sponsored threat actors. The vulnerability was published in March 2023 and is being broadly exploited in the wild by a wide range of threat actors, including multiple APTs and ransomware groups like Cl0p and LockBit. CVE-2023-27350 is an unauthenticated remote code execution vulnerability in PaperCut MF/NG print management software that allows attackers to bypass authentication and execute arbitrary code as SYSTEM on vulnerable targets.Ī patch is available for this vulnerability and should be applied on an emergency basis.
0 Comments
Leave a Reply. |