CVE-2023-39470
📋 TL;DR
This vulnerability allows authenticated remote attackers to execute arbitrary code with SYSTEM privileges on PaperCut NG servers by exploiting an exposed dangerous function in the print.script.sandboxed setting. Organizations running vulnerable PaperCut NG installations are affected.
💻 Affected Systems
- PaperCut NG
📦 What is this software?
Papercut Ng by Papercut
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges, allowing attackers to install malware, steal data, pivot to other systems, or disrupt printing services.
Likely Case
Privilege escalation leading to unauthorized access to sensitive data, configuration manipulation, or installation of backdoors.
If Mitigated
Limited impact if proper network segmentation, authentication controls, and monitoring are in place to detect exploitation attempts.
🎯 Exploit Status
Exploitation requires authentication but is straightforward once authenticated. ZDI-CAN-20965 indicates active research.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PaperCut NG 22.1.3 or later
Vendor Advisory: https://www.papercut.com/kb/Main/SecurityBulletinJune2023/
Restart Required: Yes
Instructions:
1. Download PaperCut NG version 22.1.3 or later from the official PaperCut website. 2. Backup your current installation and configuration. 3. Run the installer to upgrade. 4. Restart the PaperCut NG service or server as required.
🔧 Temporary Workarounds
Restrict Access to PaperCut NG
allLimit network access to PaperCut NG servers to only trusted users and networks using firewalls or network segmentation.
Enforce Strong Authentication
allImplement multi-factor authentication (MFA) and strong password policies to reduce the risk of unauthorized authenticated access.
🧯 If You Can't Patch
- Isolate PaperCut NG servers in a segmented network zone with strict access controls.
- Monitor for suspicious activities, such as unauthorized access attempts or changes to print.script.sandboxed settings.
🔍 How to Verify
Check if Vulnerable:
Check the PaperCut NG version in the admin interface under 'About' or run 'java -jar papercut-ng.jar --version' on the server.Check Version:
java -jar papercut-ng.jar --versionVerify Fix Applied:
Verify the version is 22.1.3 or later and check that the print.script.sandboxed setting is properly secured in the configuration.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts
- Changes to print.script.sandboxed settings
- Execution of unexpected scripts or commands
Network Indicators:
- Unusual outbound connections from PaperCut NG servers
- Traffic to known exploit patterns
SIEM Query:
source="papercut-ng" AND (event="authentication_failure" OR event="configuration_change" OR event="script_execution")