PaperCut printer security flaw may be much worse than initially thought

We have also gotten two proofs-of-concept (PoC) showcasing exactly how the vulnerabilities could be exploited, exponentially increasing their destructive potential. The first PoC was released by attack surface assessment firm Horizon3, which explained that the exploit allows for "remote code execution by abusing the built-in 'Scripting' functionality for printers."

Few targets

The managed cybersecurity platform providers Huntress also showcased their PoC, but only in the form of a video demo. The actual PoC is yete to be released.

The silver lining is that there are only around 1,700 internet-exposed PaperCut servers that the attackers could target, BleepingComputer says, citing data from a Shodan search. Still, even one successful attack is one too many.

There are patches and workarounds for the flaws, though, so users are advised to address the problem immediately and minimize any potential risk. System admins should make sure their software is patched to versions 20.1.7, 21.2.11 (MF), and 22.0.9 (NG). 

The second flaw can also be mitigated by applying “Allow list” restrictions found in Options > Advanced > Security > Allowed site server IP addresses, and only allowing verified Site Server IP addresses to access the network.

Those interested in double-checking whether or not your systems were compromised are out of luck, as PaperCut says it’s impossible to determine, with absolute certainty, if a threat actor breached the network. 

The devs suggested IT teams look for suspicious activity in the PaperCut admin interface under Logs > Application Log, including updates from a user called [setup wizard]. They can also look for new users being created, or configuration keys changed. 

• Here are the best malware removal tools right now

Via: BleepingComputer