![]() PaperCut Mobility Print versions prior to, on all OS platforms (excluding fixed versions named below). This CVE only impacts PaperCut Mobility Print.Note: FluidAttacks are looking to publicly disclose additional information in the upcoming weeks. This vulnerability has been rated with a CVSS score of 4.8: (CVSSv3 Vector: This issue could allow a malicious actor to craft a link that is sent to an authenticated administrator that could lead to changing Mobility Print settings. We want to thank the security researchers at FluidAttacks, in particular Carlos Bello. Customers who have disabled Mobility Print auto-updates are encouraged to review their Mobility Print version. Mobility Print is auto updating and a fix for this has already been deployed to customers who have auto-updates enabled. While there are many features that you can enable by selecting checkboxes and changing options in the Admin web interface, scripting your own behavior introduces a whole new level of customization. Security Issues Addressed Address potential CSRF attack in Mobility Print (CVE-2023-2508) PaperCut NG/MF’s advanced scripting interface is a powerful and flexible feature that you can use to define and fine-tune your printing policy. For organisations running Linux and macOS servers, if the inbuilt GhostScript is utilised, we recommend making sure the OS system updates are being applied. In line with best practice we will be updating GhostTrap in the near future however NO urgent action is required. All of PaperCut’s products and setup documentation for Windows platforms use GhostTrap, and we can confirm that we have reviewed recent exploits and checked that the sandboxing measures of GhostTrap offer the protection as expected. GhostTrap brings best of breed sandboxing technology out of Google Chrome to protect against issues that may exist with the GhostScript code. With our security focused mindset this worried us so we started a new open-source project called Set the secondary sync source (optional) Set the sync options. To synchronize your user data with Active Directory: Set the primary sync source. Why? Back in 2012 the PaperCut engineering team discovered a number of bugs in GhostScript that could potentially lead to vulnerabilities, and these were reported to the GhostScript team at the time. PaperCut NG/MF’s Active Directory integration is performed at a native level and supports advanced features, such as nested groups and OU’s. If you’re using GhostTrap, then you have significant protection against GhostScript exploits. There has recently been some GhostScript vulnerabilities in the news. This information provider is called the Print Provider. Executive Summary / tl drĬlarification of GhostScript vulnerabilities in the news, and a potential CSRF issue has been found in Mobility Print (fixed via auto update). PaperCut NG/MF uses providers to submit print queue/job information to its Application Server. ![]() In this bulletin we cover the security improvements addressed in PaperCut Mobility Printįor other Security vulnerability and Security bulletin information, see our Security vulnerability information and common security questions page. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |