Exploit
CVE-2024-8404

Improper Link Resolution Before File Access ('Link Following') (CWE-59)

Published: Sep 26, 2024 / Updated: 55d ago

010
CVSS 7.8EPSS 0.04%High
CVE info copied to clipboard

Summary

An arbitrary file deletion vulnerability exists in PaperCut NG/MF, specifically affecting Windows servers with Web Print enabled. The vulnerability allows an attacker with local login access to the Windows Server hosting PaperCut NG/MF to execute low-privilege code directly on the server via the web-print-hot-folder. This could lead to unauthorized file deletion on the affected system. The vulnerability affects PaperCut NG and PaperCut MF versions prior to 23.0.9.

Impact

If exploited, this vulnerability could result in high impact on integrity, availability, and confidentiality of the affected system. An attacker could potentially delete critical files, leading to system instability, data loss, or service disruption. Sensitive information could also be compromised. The vulnerability has a CVSS base score of 7.8, indicating high severity. However, exploitation requires local access to the Windows Server hosting PaperCut NG/MF, which is typically restricted to administrators in default configurations.

Exploitation

One proof-of-concept exploit is available on zerodayinitiative.com. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. PaperCut has released version 23.0.9 for both PaperCut NG and PaperCut MF, which addresses this vulnerability. Security teams should prioritize updating to this version or later.

Mitigation

1. Update PaperCut NG and PaperCut MF to version 23.0.9 or later. 2. Ensure that local login access to the Windows Server hosting PaperCut NG/MF is restricted to administrators only. 3. If non-administrative users must have local login access, implement strict access controls and monitoring for the web-print-hot-folder. 4. Consider disabling Web Print functionality if it's not essential for operations. 5. Regularly audit user permissions and access to the PaperCut NG/MF server. 6. Implement and maintain robust logging and monitoring systems to detect any suspicious activities related to file operations in the affected areas.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-8404

Sep 26, 2024 at 2:15 AM
CVSS

A CVSS base score of 7.8 has been assigned.

Sep 26, 2024 at 2:20 AM / nvd
First Article

Feedly found the first article mentioning CVE-2024-8404. See article

Sep 26, 2024 at 2:21 AM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 26, 2024 at 2:25 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.6%)

Sep 26, 2024 at 9:41 AM
Threat Intelligence Report

The article does not provide specific details about the vulnerability CVE-2024-8404, including its criticality, CVSS score, exploitation in the wild, proof-of-concept exploits, mitigations, detections, or patches. It mentions that CVE-2024-8404 and CVE-2024-8405 are related vulnerabilities attributed to different reporters but lacks further context on their impact or downstream effects. Therefore, no additional information can be summarized regarding CVE-2024-8404 based on the provided content. See article

Oct 16, 2024 at 8:22 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (209140)

Oct 16, 2024 at 9:15 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (209141)

Oct 16, 2024 at 9:15 PM
Static CVE Timeline Graph

Affected Systems

Papercut/papercut_ng
+null more

Exploits

https://www.zerodayinitiative.com/advisories/ZDI-24-1039/
+null more

Patches

www.papercut.com
+null more

Links to Mitre Att&cks

T1547.009: Shortcut Modification
+null more

Attack Patterns

CAPEC-132: Symlink Attack
+null more

References

PaperCut MF < 23.0.9 Multiple Vulnerabilities
Nessus Plugin ID 209141 with High Severity Synopsis PaperCut MF installed on remote Windows host is affected by a multiple vulnerabilities Description The version of PaperCut MF installed on the remote Windows host is affected by multiple vulnerabilities, as follows: - An arbitrary file deletion vulnerability exists in PaperCut NG/MF, specifically affecting Windows servers with Web Print enabled. To exploit this vulnerability, an attacker must first obtain local login access to the Windows Server hosting PaperCut NG/MF and be capable of executing low-privilege code directly on the server. The attacker can leverage this attack by creating a symbolic link, and use this service to delete the file the link is pointing to. (CVE-2024-3037) - This vulnerability could potentially allow the creation of files in specific locations used by the Web Print service. This vulnerability only applies to PaperCut NG/MF Windows servers with the PaperCut Web Print Server service enabled and uses the image-handler process, which can incorrectly create files that don’t exist when a maliciously formed payload is provided. (CVE-2024-4712) - CVE-2024-8404 and CVE-2024-8405 have been split to allow the researchers (Trend Micro ZDI) to attribute two instances of the same vulnerability type to different reporters. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. Solution Upgrade to PaperCut MF version 23.0.9 or later. Read more at https://www.tenable.com/plugins/nessus/209141

News

PaperCut MF < 23.0.9 Multiple Vulnerabilities
Nessus Plugin ID 209141 with High Severity Synopsis PaperCut MF installed on remote Windows host is affected by a multiple vulnerabilities Description The version of PaperCut MF installed on the remote Windows host is affected by multiple vulnerabilities, as follows: - An arbitrary file deletion vulnerability exists in PaperCut NG/MF, specifically affecting Windows servers with Web Print enabled. To exploit this vulnerability, an attacker must first obtain local login access to the Windows Server hosting PaperCut NG/MF and be capable of executing low-privilege code directly on the server. The attacker can leverage this attack by creating a symbolic link, and use this service to delete the file the link is pointing to. (CVE-2024-3037) - This vulnerability could potentially allow the creation of files in specific locations used by the Web Print service. This vulnerability only applies to PaperCut NG/MF Windows servers with the PaperCut Web Print Server service enabled and uses the image-handler process, which can incorrectly create files that don’t exist when a maliciously formed payload is provided. (CVE-2024-4712) - CVE-2024-8404 and CVE-2024-8405 have been split to allow the researchers (Trend Micro ZDI) to attribute two instances of the same vulnerability type to different reporters. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. Solution Upgrade to PaperCut MF version 23.0.9 or later. Read more at https://www.tenable.com/plugins/nessus/209141
Security Bulletin 02 Oct 2024 - Cyber Security Agency of Singapore
This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing ...
NA - CVE-2024-8404 - An arbitrary file deletion vulnerability exists...
An arbitrary file deletion vulnerability exists in PaperCut NG/MF, specifically affecting Windows servers with Web Print enabled. To exploit this vulnerability, an attacker must first obtain local...
CVE-2024-8404
To exploit this vulnerability, an attacker must first obtain local login access to the Windows Server hosting PaperCut NG/MF and be capable of executing low-privilege code directly on the server via the web-print-hot-folder. Gravedad 3.1 (CVSS 3.1 Base Score)
Arbitrary File Deletion in PaperCut NG/MF Web Print Hot folder
Papercut - HIGH - CVE-2024-8404 An arbitrary file deletion vulnerability exists in PaperCut NG/MF, specifically affecting Windows servers with Web Print enabled. To exploit this vulnerability, an attacker must first obtain local login access to the Windows Server hosting PaperCut NG/MF and be capable of executing low-privilege code directly on the server via the web-print-hot-folder. Important: In most installations, this risk is mitigated by the default Windows Server configuration, which restricts local login access to Administrators only. However, this vulnerability could pose a risk to customers who allow non-administrative users to log into the local console of the Windows environment hosting the PaperCut NG/MF application server. Note: This CVE has been split from CVE-2024-3037.
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI