PaperCut has recently received two vulnerability reports from a 3rd party cyber security company (Trend Micro), for high/critical severity security issues in PaperCut MF/NG. There has not been any evidence of these vulnerabilities being used against customers at this point.
Both of the vulnerabilities can only be exploited if the remote attacker were to have access to the PaperCut server remotely. If the server is protected within an organizations’ firewall, then the attack would have to originate within the organizations’ network perimeter. However, if the server isn’t protected within your firewall, you are potentially at risk and need to take action as soon as possible. If you have not done so, we recommend you prioritize the installation of the maintenance release applicable to your PaperCut server version as soon as practically possible.
PaperCut has identified and released new builds to resolve these reported security issues with PaperCut MF.
Vulnerability #1 – PaperCut has confirmed that under certain circumstances this allows for an unauthenticated attacker to get Remote Code Execution (RCE) on a PaperCut Application Server. This could be done remotely and without the need to log in. We do not have any evidence of this vulnerability being used against customers at this point.
Vulnerability #2 – PaperCut has confirmed that under certain circumstances this allows for an unauthenticated attacker to potentially pull information about a user stored within PaperCut MF or NG – including usernames, full names, email addresses, office/department info and any card numbers associated with the user. The attacker can also retrieve the hashed passwords for internal PaperCut-created users only (note that this does not include any password hashes for users sync’d from directory sources such as Microsoft 365 / Google Workspace / Active Directory and others). This could be done remotely and without the need to log in. We do not have any evidence of this vulnerability being used against customers at this point.
Recommended Remediation:
Current Version | Update to: |
PaperCut MF version 22.x | 22.0.9 |
PaperCut MF version 21.x | 21.2.11 |
PaperCut MF version 20.x | 20.1.7 |
PaperCut MF versions 19 or older | Check MFP firmware, cost for new PaperCut MF license and firmware update may be required |
PaperCut MF v20, v21 and v22:
In order to efficiently remove the vulnerability PaperCut users should stay within the major version of PaperCut that they are currently using (v20, v21 or v22). If they are running a version of 20, they should update to v20.1.7, if they are running a version of 21 then they should update to v21.2.11 and if they are running a version of 22 they should update to v22.0.9. All of these updates are available on the Papercut site for download.
PaperCut MF v19 or older:
In the unlikely event that you are currently using version 19 or older, you will most likely need to update the firmware on your bizhub MFP’s to support the latest compatible version of PaperCut MF. There will be a service charge to perform the firmware update.
Next Steps:
Prior to updating the PaperCut server, it is important to confirm the PaperCut version in use to determine the correct fix required for the vulnerability, and if it requires an MFP firmware update. Please contact your Konica Minolta service provider to help you confirm the best approach to remediation.
More information can be found on the PaperCut website:
https://www.papercut.com/kb/Main/PO-1216-and-PO-1219#zdi-can-18987-po-1216