https://www.papercut.com/kb/Main/Security-Bulletin-May-2024 <br/></td> CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"/>https://www.papercut.com/kb/Main/Security-Bulletin-May-2024 <br/></td> CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"/>

Exploit
CVE-2024-3037

Improper Link Resolution Before File Access ('Link Following') (CWE-59)

Published: May 14, 2024 / Updated: 6mo ago

010
CVSS 7.8EPSS 0.04%High
CVE info copied to clipboard

Summary

This vulnerability allows local attackers to escalate privileges on affected installations of PaperCut NG Server. The specific flaw exists within the pc-web-print service. By creating a symbolic link, an attacker can abuse the service to delete a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.

Impact

The impact of this vulnerability is severe. If exploited, it allows an attacker to escalate privileges to SYSTEM level, potentially gaining full control over the affected system. This could lead to unauthorized access to sensitive data, modification of system files, installation of malware, and potential lateral movement within the network. The vulnerability affects the integrity, confidentiality, and availability of the system, all rated as HIGH in the CVSS scoring.

Exploitation

Multiple proof-of-concept exploits are available on zerodayinitiative.com, zerodayinitiative.com. There is no evidence of proof of exploitation at the moment.

Patch

PaperCut has issued an update to correct this vulnerability. More details can be found at: https://www.papercut.com/kb/Main/Security-Bulletin-May-2024

Mitigation

1. Apply the patch provided by PaperCut as soon as possible. 2. Limit local access to the PaperCut NG Server to only necessary users. 3. Monitor for any suspicious activities or unauthorized privilege escalations on the affected systems. 4. Implement the principle of least privilege for all user accounts. 5. Regularly audit and review file permissions, especially for the pc-web-print service. 6. Consider implementing application whitelisting to prevent unauthorized code execution.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (379806)

May 14, 2024 at 7:53 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 8.4%)

May 14, 2024 at 9:23 AM
CVE Assignment

NVD published the first details for CVE-2024-3037

May 14, 2024 at 3:39 PM
First Article

Feedly found the first article mentioning CVE-2024-3037. See article

May 14, 2024 at 3:46 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Jul 31, 2024 at 9:33 PM
Threat Intelligence Report

CVE-2024-3037 is a high-severity arbitrary file deletion vulnerability in PaperCut NG/MF, specifically affecting Windows servers with Web Print enabled, requiring local login access for exploitation. There are no details provided regarding exploitation in the wild, proof-of-concept exploits, or downstream impacts on third-party vendors. The recommended mitigation is to upgrade to PaperCut MF version 23.0.9 or later. See article

Oct 16, 2024 at 8:22 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (209140)

Oct 16, 2024 at 9:15 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (209141)

Oct 16, 2024 at 9:15 PM
Static CVE Timeline Graph

Affected Systems

Papercut/ng
+null more

Exploits

https://www.zerodayinitiative.com/advisories/ZDI-24-1038/
+null more

Links to Mitre Att&cks

T1547.009: Shortcut Modification
+null more

Attack Patterns

CAPEC-132: Symlink Attack
+null more

Vendor Advisory

ZDI-24-1039: PaperCut NG web-print-hot-folder Link Following Local Privilege Escalation Vulnerability
This vulnerability allows local attackers to escalate privileges on affected installations of PaperCut NG. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-3037.

References

PaperCut MF &lt; 23.0.9 Multiple Vulnerabilities
Nessus Plugin ID 209141 with High Severity Synopsis PaperCut MF installed on remote Windows host is affected by a multiple vulnerabilities Description The version of PaperCut MF installed on the remote Windows host is affected by multiple vulnerabilities, as follows: - An arbitrary file deletion vulnerability exists in PaperCut NG/MF, specifically affecting Windows servers with Web Print enabled. To exploit this vulnerability, an attacker must first obtain local login access to the Windows Server hosting PaperCut NG/MF and be capable of executing low-privilege code directly on the server. The attacker can leverage this attack by creating a symbolic link, and use this service to delete the file the link is pointing to. (CVE-2024-3037) - This vulnerability could potentially allow the creation of files in specific locations used by the Web Print service. This vulnerability only applies to PaperCut NG/MF Windows servers with the PaperCut Web Print Server service enabled and uses the image-handler process, which can incorrectly create files that don’t exist when a maliciously formed payload is provided. (CVE-2024-4712) - CVE-2024-8404 and CVE-2024-8405 have been split to allow the researchers (Trend Micro ZDI) to attribute two instances of the same vulnerability type to different reporters. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. Solution Upgrade to PaperCut MF version 23.0.9 or later. Read more at https://www.tenable.com/plugins/nessus/209141

News

PaperCut MF &lt; 23.0.9 Multiple Vulnerabilities
Nessus Plugin ID 209141 with High Severity Synopsis PaperCut MF installed on remote Windows host is affected by a multiple vulnerabilities Description The version of PaperCut MF installed on the remote Windows host is affected by multiple vulnerabilities, as follows: - An arbitrary file deletion vulnerability exists in PaperCut NG/MF, specifically affecting Windows servers with Web Print enabled. To exploit this vulnerability, an attacker must first obtain local login access to the Windows Server hosting PaperCut NG/MF and be capable of executing low-privilege code directly on the server. The attacker can leverage this attack by creating a symbolic link, and use this service to delete the file the link is pointing to. (CVE-2024-3037) - This vulnerability could potentially allow the creation of files in specific locations used by the Web Print service. This vulnerability only applies to PaperCut NG/MF Windows servers with the PaperCut Web Print Server service enabled and uses the image-handler process, which can incorrectly create files that don’t exist when a maliciously formed payload is provided. (CVE-2024-4712) - CVE-2024-8404 and CVE-2024-8405 have been split to allow the researchers (Trend Micro ZDI) to attribute two instances of the same vulnerability type to different reporters. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. Solution Upgrade to PaperCut MF version 23.0.9 or later. Read more at https://www.tenable.com/plugins/nessus/209141
Security Bulletin 02 Oct 2024 - Cyber Security Agency of Singapore
This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing ...
NA - CVE-2024-8404 - An arbitrary file deletion vulnerability exists...
An arbitrary file deletion vulnerability exists in PaperCut NG/MF, specifically affecting Windows servers with Web Print enabled. To exploit this vulnerability, an attacker must first obtain local...
CVE-2024-8404
To exploit this vulnerability, an attacker must first obtain local login access to the Windows Server hosting PaperCut NG/MF and be capable of executing low-privilege code directly on the server via the web-print-hot-folder. Gravedad 3.1 (CVSS 3.1 Base Score)
Arbitrary File Deletion in PaperCut NG/MF Web Print Hot folder
Papercut - HIGH - CVE-2024-8404 An arbitrary file deletion vulnerability exists in PaperCut NG/MF, specifically affecting Windows servers with Web Print enabled. To exploit this vulnerability, an attacker must first obtain local login access to the Windows Server hosting PaperCut NG/MF and be capable of executing low-privilege code directly on the server via the web-print-hot-folder. Important: In most installations, this risk is mitigated by the default Windows Server configuration, which restricts local login access to Administrators only. However, this vulnerability could pose a risk to customers who allow non-administrative users to log into the local console of the Windows environment hosting the PaperCut NG/MF application server. Note: This CVE has been split from CVE-2024-3037.
See 12 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI