CVE-2023-6006
📋 TL;DR
This CVE allows local attackers with write access to the C drive to escalate privileges to SYSTEM level by exploiting an insecure executable loading mechanism in PaperCut NG's pc-pdl-to-image process. It affects PaperCut NG installations where Print Archiving is enabled or misconfigured. The vulnerability requires local access but has low attack complexity.
💻 Affected Systems
- PaperCut NG
📦 What is this software?
Papercut Mf by Papercut
Papercut Ng by Papercut
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains SYSTEM privileges and executes arbitrary code, potentially taking full control of the server.
Likely Case
Privilege escalation from standard user to SYSTEM on servers where local login is granted to network users.
If Mitigated
No impact if Print Archiving is properly configured per recommendations or if local write access is restricted.
🎯 Exploit Status
Requires local write access to C drive and either Print Archiving enabled or misconfigured system. Attack complexity is low per CVSS rating.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific fixed versions
Vendor Advisory: https://www.papercut.com/kb/Main/Security-Bulletin-November-2023/
Restart Required: Yes
Instructions:
1. Review PaperCut November 2023 security bulletin. 2. Apply the latest PaperCut NG update. 3. Restart the PaperCut service and server if required.
🔧 Temporary Workarounds
Disable Print Archiving
windowsDisable Print Archiving feature if not required
Configure via PaperCut Admin interface: Options > Advanced > Print Archiving > Disable
Restrict Local Write Access
windowsRemove write permissions to C drive for standard users
Use Windows permissions to restrict write access to C:\ for non-administrative users
🧯 If You Can't Patch
- Ensure Print Archiving is properly configured per PaperCut recommendations
- Restrict local login access to PaperCut servers to administrative users only
🔍 How to Verify
Check if Vulnerable:
Check if Print Archiving is enabled and if standard users have write access to C drive on PaperCut serverCheck Version:
Check PaperCut version in Admin interface: Help > AboutVerify Fix Applied:
Verify PaperCut version is updated to patched version and Print Archiving configuration follows recommendations📡 Detection & Monitoring
Log Indicators:
- Unauthorized process execution from unusual locations
- Privilege escalation attempts in system logs
Network Indicators:
- Unusual local system activity from standard user accounts
SIEM Query:
Process creation events where parent process is pc-pdl-to-image.exe and executable path is from unsecured location