Attacker Value

Unknown

(1 user assessed)

Exploitability

Unknown

(1 user assessed)

User Interaction

CVE-2023-27350

Disclosure Date: April 20, 2023 •

CVE-2023-27350 CVSS v3 Base Score: 9.8

Exploited in the Wild

Reported by mkienow-r7 and 1 more...
View Source Details

Metasploit Module

exploit/multi/http/papercut_ng_auth_bypass

Description

This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.

Add Assessment

sfewer-r7 (81)

April 21, 2023 9:06am UTC (1 year ago)•Edited 1 year ago

Ratings

Gives privileged access Unauthenticated

Technical Analysis

Overview

On April 14, 2023 the Zero Day Initiative published two advisories, ZDI-23-233 aka CVE-2023-27350 and ZDI-23-232 aka CVE-2023-27351, for two vulnerabilities affecting PaperCut MF and PaperCut NG.

PaperCut have released their own advisory for these two vulnerabilities. The vulnerability CVE-2023-27350 allows an unauthenticated attacker to achieve remote code execution on a vulnerable PaperCut MF or NG Application Server and affects all versions of both products, from version 8.0 up to the patched version (as listed below). The CVE has been rated critical and has a CVSS base score of 9.8. On April 19, 2023, PaperCut updated their advisory to report that this vulnerability has been exploited in the wild.

On April 21, 2023, Huntress published technical details on the vulnerability.

Guidance

A vendor supplied patch is available and should be applied to successfully remediate the issue.

For PaperCut MF the following versions remediate the issue:

For PaperCut NG the following versions remediate the issue:

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

papercut

Products

papercut mf,
papercut ng

Metasploit Modules

exploit/multi/http/papercut_ng_auth_bypass (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/papercut_ng_auth_bypass.rb)

Exploited in the Wild

Reported by:

mkienow-r7 indicated sources as

Vendor Advisory (https://www.papercut.com/kb/Main/PO-1216-and-PO-1219)
Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2023/04/21/cisa-adds-three-known-exploited-vulnerabilities-catalog)

Reported: April 20, 2023 5:37pm UTC (1 year ago) • Edited 1 year ago

gwillcox-r7 indicated source as Government or Industry Alert (https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a)

Reported: May 18, 2023 4:11pm UTC (11 months ago)

References

Canonical

CVE-2023-27350 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27350)

Exploit

The following exploit POCs have not been verified by Rapid7 researchers, but are sourced from: nomi-sec/PoC-in-GitHub.
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.

https://github.com/horizon3ai/CVE-2023-27350/blob/main/CVE-2023-27350.py

CVE-2023-27350 (https://github.com/horizon3ai/CVE-2023-27350)

CVE-2023-27350 (https://github.com/Pari-Malam/CVE-2023-27350)

CVE-2023-27350-POC (https://github.com/MaanVader/CVE-2023-27350-POC)