In Mid-March 2023, PaperCut, a popular print management software solution, publicly disclosed a couple of vulnerabilities CVE-2023-27350 and CVE-2023-27351) that were reported to them through Trend Micro's Zero Day Initiative (ZDI).
However, in the middle of April, it was observed that one of the vulnerabilities, CVE-2023-27350 (CVSS 9.8) was apparently being abused in the wild (ITW). This vulnerability is an improper access control authentication bypass which does not require authentication and can lead to an attacker obtaining Remote Code Execution (RCE) on an affected PaperCut Application Server.
The ZDI disclosure on CVE-2023-27350 can be found at: https://www.zerodayinitiative.com/advisories/ZDI-23-233/ and Trend Micro Research has written a comprehensive blog on the threat here: Update Now: PaperCut Vulnerability CVE-2023-27350 Under Active Exploitation.
Trend Micro Protection and Detection Against Exploitation
First and foremost, it is always highly recommended that users apply the vendor's patches when they become available. PaperCut has released new versions of PaperCut MF and PaperCut MG - 20.1.7, 21.2.11, and 22.0.9 - that resolve the issues.
As an original submission of the vulnerability was through the Trend Micro Zero Day Initiative, based on our analysis, Trend Micro has some rules and filters that can help provide against potential exploitation of this vulnerability.
Trend Micro Cloud One - Network Security & TippingPoint Protection Filters
- 42626: HTTP: PaperCut NG SetupCompleted Authentication Bypass Vulnerability (ZDI-23-233)
- 42258: HTTP: PaperCut NG SecurityRequestFilter Authentication Bypass Vulnerability (ZDI-23-232)
Trend Micro Cloud One - Workload Security & Deep Security IPS Rules
- 1011731 - PaperCut NG Authentication Bypass Vulnerability (CVE-2023-27350)
- 1011732 - PaperCut NG Authentication Bypass Vulnerability (CVE-2023-27351)
Trend Micro Deep Discovery Inspector (DDI) Rules
- Rule 4835: CVE-2023-27350 - PaperCut MF/NG Authentication Bypass Exploit - HTTP (REQUEST)
- Rule 4836: CVE-2023-27351 - PaperCut MF/NG Authentication Bypass Exploit - HTTP (REQUEST)
Trend Micro Malware Detection Patterns (VSAPI, Predictive Learning, Behavioral Monitoring and WRS) for Endpoint, Servers, Mail & Gateway (e.g. Apex One, Worry-Free Business Security Services, Worry-Free Business Security Standard/Advanced, Deep Security w/Anti-malware, etc.)
Trend Micro threat hunters have observed potential ransomware drops as part of ongoing campaigns. Observed ransomware detections include:
Trend Micro is continuing to monitor and research this ongoing campaign and will update this article as more information becomes available.