In this advisory we provide information around a recently discovered and patched Papercut Server vulnerability, recent vulnerabilities associated with Paessler PRTG Network Monitor and finally we add some commentary and awareness in relation to Microsoft’s recent updates.
Papercut
A recent vulnerability regarding Papercut Servers has been disclosed.
CVE-2023-39143 is rated as 9.8 on the CVSS3 scale and we urge all partner with impacted versions, remediate the vulnerability in a prompt manner.
This vulnerability impacts Windows based PaperCut servers with “External device integration” enabled. This allows the possibility for file tampering and uploads which could lead to remote code execution. Direct server IP access is required, however a point of note is that this setting is enabled by default in certain PaperCut NG Commercial and PaperCut MF versions.
This differs from the recent Papercut vulnerability (CVE-2023-27350) in that it is significantly more complex to exploit, requiring the chaining of security flaws in order for a successful compromise to occur. The proof of concept code has not been made publicly available (as yet).
Impacted Version(s)
- Papercut MF / MF < 22.1.3 (Windows application servers only)
Remediation/ Mitigation Strategy
To remediate the vulnerability, partners are urged to update to the July release of PaperCut NG or update to MF 22.1.3.
The Check for updates link in the PaperCut NG/MF admin interface allows customers to download the latest version of PaperCut NG or MF. You will find this at PaperCut NG/MF Admin interface > About > Version info > Check for updates.
If it is impractical to update, mitigation actions are available. To mitigate the risk of exploitation, administrators can set up an allow-list and populate it with device IP addresses permitted to communicate with the server. This additional security measure can help reduce the exposure to potential attackers, however updating the application is strongly recommended.
Further reading
- https://www.papercut.com/kb/Main/securitybulletinjuly2023/
- https://www.papercut.com/help/manuals/ng-mf/applicationserver/security/secure-configuration/
- https://socradar.io/complex-rce-vulnerability-cve-2023-39143-in-papercut-application-servers/
Paessler PRTG Network Monitor
Multiple vulnerabilities have been discovered in Paessler PRTG Network Monitor, a popular piece of network monitoring software. These vulnerabilities have recently been addressed in a software update.
CVE-2023-31448
CVE-2023-31449
CVE-2023-31450
Multiple path traversal vulnerabilities exist in impacted versions which could allow a threat actor to trick one of the sensors into behaving differently for existing files and non-existing files. This may allow the execution of files outside of the custom sensors folder.
CVE-2023-31452
Cross site request vulnerability exists that permits external actors to act as a legitimate user under certain conditions. In order for this to be successfully exploited, a victim user must have an active session, and must trigger a crafted fraudulent request.
CVE-2023-32781
CVE-2023-32782
A debugging feature can be abused such that an authenticated user may write new files that can be executed by the EXE/Script sensor.
Impacted Version(s)
- PRTG 23.2.84.1566 and earlier
Remediation/ Mitigation Strategy
If automatic updates are enabled, verify that version 23.3.86.1520 or higher is in use. Otherwise update to PRTG 23.3.86.1520
Further reading
- https://kb.paessler.com/en/topic/91845-multiple-vulnerabilites-fixed-in-paessler-prtg-network-monitor-23-3-86-1520
- https://www.cvedetails.com/vulnerability-list/vendor_id-5034/Paessler.html
Microsoft Noteworthy items
There were two note worthy vulnerabilities from the Microsoft recent patching cycle. The vulnerabilities of note impact Kestrel and Microsoft Exchange respectively.
.NET and Visual Studio Denial of Service Vulnerability
A vulnerability in Kestrel could allow for a denial of service.
What is Kestrel? Kestrel is the cross-platform web server that is included with (and enabled by default in) ASP.NET Core. When detecting a potentially malicious client, Kestrel will sometimes fail to disconnect said client, resulting in the denial of service.
Identified as CVE-2023-38180 this vulnerability is being exploited in the wild. Customers utilising these platforms and deploying solutions, should download and update the Security updates as soon as possible.
Impacted Version(s)
- Microsoft Visual Studio 2022 version 17.6
- Microsoft Visual Studio 2022 version 17.4
- Microsoft Visual Studio 2022 version 17.2
- .NET 7.0
- .NET 6.0
- ASP.NET Core 2.1
Remediation/ Mitigation Strategy
Download the Security updates provided by Microsoft as per links in https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-38180
Further reading
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-38180
- https://www.tripwire.com/state-of-security/vert-threat-alert-august-2023-patch-tuesday-analysis
Microsoft Exchange Server Elevation of Privilege VulnerabilityAnother critical vulnerability has been identified within various Microsoft Exchange products. The Microsoft Exchange Server Elevation of Privilege Vulnerability, identified as CVE-2023-21709, the vulnerability is not currently being exploited, but given the nature of these assets it is recommended that the updates be applied and associated scripts processed as soon as practical.
Impacted Version(s)
- Microsoft Exchange Server 2019 Cumulative Update 12
- Microsoft Exchange Server 2019 Cumulative Update 13
- Microsoft Exchange Server 2016 Cumulative Update 23
Remediation/ Mitigation Strategy
Microsoft recommended the following steps:
1. (Strongly recommended) Install Exchange Server 2016 or 2019 August SU (or later)
2. Do one of the following:
Apply the solution for the CVE automatically on your servers, run the CVE-2023-21709.ps1 script. You can find the script and the documentation here: https://aka.ms/CVE-2023-21709ScriptDoc.
or
Apply the solution for the CVE manually on each server, by running the following command from an elevated PowerShell window:
Clear-WebConfiguration -Filter "/system.webServer/globalModules/add[@name='TokenCacheModule']" -PSPath "IIS:\"
To roll-back the solution for the CVE manually on each server, run the following:
New-WebGlobalModule -Name "TokenCacheModule" -Image "%windir%\System32\inetsrv\cachtokn.dll"
Although Microsoft recommends installing the security updates as soon as possible, running the script or the commands on a supported version of Exchange Server prior to installing the updates will address this vulnerability.
Further reading
Microsoft Office Defense in Depth update
Microsoft have also released a Microsoft Office Defense in Depth update for Microsoft Office that helps to stop the attach chain that allows for successful exploitation of the Windows Search security feature bypass (CVE-2023-368884).
