Linux CUPS Printing System

A new set of security vulnerabilities has been disclosed in the OpenPrinting Common Unix Printing System (CUPS) on Linux systems that could permit remote command execution under certain conditions.

"A remote unauthenticated attacker can silently replace existing printers' (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer)," security researcher Simone Margaritelli said.

CUPS is a standards-based, open-source printing system for Linux and other Unix-like operating systems, including ArchLinux, Debian, Fedora, Red Hat Enterprise Linux (RHEL), ChromeOS, FreeBSD, NetBSD, OpenBSD, openSUSE, and SUSE Linux.

The list of vulnerabilities is as follows -

  • CVE-2024-47176 - cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker-controlled URL
  • CVE-2024-47076 - libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker-controlled data to the rest of the CUPS system
  • CVE-2024-47175 - libppd <= 2.1b1 ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker-controlled data in the resulting PPD
  • CVE-2024-47177 - cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter

A net consequence of these shortcomings is that they could be fashioned into an exploit chain that allows an attacker to create a malicious, fake printing device on a network-exposed Linux system running CUPS and trigger remote code execution upon sending a print job.

Cybersecurity

"The issue arises due to improper handling of 'New Printer Available' announcements in the 'cups-browsed' component, combined with poor validation by 'cups' of the information provided by a malicious printing resource," network security company Ontinue said.

"The vulnerability stems from inadequate validation of network data, allowing attackers to get the vulnerable system to install a malicious printer driver, and then send a print job to that driver triggering execution of the malicious code. The malicious code is executed with the privileges of the lp user – not the superuser 'root.'"

RHEL, in an advisory, said all versions of the operating system are affected by the four flaws, but noted that they are not vulnerable in their default configuration. It tagged the issues as Important in severity, given that the real-world impact is likely to be low.

"By chaining this group of vulnerabilities together, an attacker could potentially achieve remote code execution which could then lead to theft of sensitive data and/or damage to critical production systems," it said.

Cybersecurity firm Rapid7 pointed out that affected systems are exploitable, either from the public internet or across network segments, only if UDP port 631 is accessible and the vulnerable service is listening.

Palo Alto Networks has disclosed that none of its products and cloud services contain the aforementioned CUPS-related software packages, and therefore are not impacted by the flaws.

Patches for the vulnerabilities are currently being developed and are expected to be released in the coming days. Until then, it's advisable to disable and remove the cups-browsed service if it's not necessary, and block or restrict traffic to UDP port 631.

"It looks like the embargoed Linux unauth RCE vulnerabilities that have been touted as doomsday for Linux systems, may only affect a subset of systems," Benjamin Harris, CEO of WatchTowr, said in a statement shared with The Hacker News.

Cybersecurity

"Given this, while the vulnerabilities in terms of technical impact are serious, it is significantly less likely that desktop machines/workstations running CUPS are exposed to the Internet in the same manner or numbers that typical server editions of Linux would be."

Satnam Narang, senior staff research engineer at Tenable, said these vulnerabilities are not at a level of a Log4Shell or Heartbleed.

"The reality is that across a variety of software, be it open or closed source, there are a countless number of vulnerabilities that have yet to be discovered and disclosed," Narang said. "Security research is vital to this process and we can and should demand better of software vendors."

"For organizations that are honing in on these latest vulnerabilities, it's important to highlight that the flaws that are most impactful and concerning are the known vulnerabilities that continue to be exploited by advanced persistent threat groups with ties to nation states, as well as ransomware affiliates that are pilfering corporations for millions of dollars each year."

Nearly 75,000 Machines Expose CUPS

Akamai, in its own insights into the CUPS flaws, said an attack leveraging these flaws isn't "particularly complex," but emphasized that it requires multiple steps for successful exploitation.

It also said it found about 75,000 machines worldwide that expose CUPS to the internet, with the web infrastructure company finding the service running on several platforms, including Ubuntu, macOS, CentOS, Debian, Fedora, OpenShift, Oracle Linux Server, Red Hat, Rocky Linux, SUSE, openSUSE, AlmaLinux, Amazon Linux, and others.

The top five regions with the most exposed instances are South Korea (21,974), the United States (11,413), Hong Kong (4,772), Germany (4,723), and China (4,570).

"Approximately 5.4% of Linux machines are exposed to the internet and receive incoming traffic from external sources," Akamai noted.

"When inspecting network policies that affect this traffic, we saw that 19.3% of those machines allow incoming internet traffic by default — meaning that no specific network policies are in place to restrict or control the flow of incoming traffic."

CUPS Vulnerability Scanner Released

Security researcher Marcus Hutchins, who goes by the online alias MalwareTech, has released an automated scanner on GitHub to scan local networks for devices vulnerable to CVE-2024-47176.

"The vulnerability arises from the fact that cups-browsed binds its control port (UDP port 631) to INADDR_ANY, exposing it to the world," Hutchins said. "Since requests are not authenticated, anyone capable of reaching the control port can instruct cups-browsed to perform printer discovery."

"In cases when the port is not reachable from the internet (due to firewalls or NAT), it may still be reachable via the local network, enabling privilege escalation and lateral movement."

(The story was updated after publication on October 9, 2024, to include details about the CVE-2024-47176 vulnerability scanner.)


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.