After much hyping and following prematurely leaked information by a third party, security researcher Simone Margaritelli has released details about four zero-day vulnerabilities in the Common UNIX Printing System (CUPS) that can be abused by remote, unauthenticated attackers to achieve code execution on vulnerable Linux and Unix-like sistems.
The CUPS vulnerabilities
CUPS is an open-source printing system that allows a computer on which is installed to act as a print server. It is developed by OpenPrinting, a free software organization under The Linux Foundation.
CUPS redirects and manages print jobs submitted by client computers to local or network-attached printers via the Internet Printing Protocol (IPP).
The vulnerabilities discovered by Margaritelli (aka EvilSocket) affect several CUPS components/packages:
- CVE-2024-47176, in the cups-browsed (up to version 2.0.1) helper daemon, which allows attackers to submit packets via the IPP default port (UDP 631) and trick it to request arbitrary, attacker-controlled URLs
- CVE-2024-47076, in libcupsfilters (up to version 2.1b1), which allows attackers to pass malicious data to other CUPS components
- CVE-2024-47175, in libppd (up to version 2.1b1), which allows attackers to inject malicious data in the temporary PPD file to pass to CUPS components
- CVE-2024-47177, in cups-filters (up to version 2.0.1) , which allows attackers to execute arbitrary commands via the FoomaticRIPCommandLine PPD parameter
By chaining some of these flaws, “a remote unauthenticated attacker can silently replace existing printers’ (or install new ones) IPP URLs with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer),” Margaritelli explained.
To trigger command execution, though, a user must launch a print job on the malicious printer.
“According to the researcher’s disclosure blog, affected systems are exploitable from the public internet, or across network segments, if UDP port 631 is exposed and the vulnerable service is listening,” Rapid7 researchers noted.
Who’s affected and what to do?
CUPS is used by most Linux distros and some BSD ones. Some enable it by default, and some do not. (A version of CUPS is also shipped with macOS and iOS.)
OpenPrinting has published some fixes and a temporary workaround for CVE-2024-47176, and the various distros are working on porting them.
While waiting for updated CUPS packages, Margaritelli advises disabling and/or removing the cups-browsed service and “in case your system can’t be updated and for some reason you rely on this service, block[ing] all traffic to UDP port 631 and possibly all DNS-SD traffic.”
Red Hat has explained how its customers can check whether cups-browsed is running on their system and how to stop it from running and re-starting on reboot.
Margaritelli says he found hundreds of thousands of devices of potentially vulnerable devices. Tenable researchers tried using Shodan and FOFA (search engines for internet-connected devices) and found “a significant number of hosts that do appear to be internet-accessible with a majority of the results using the default port, 631.”
So far, there have been no reports of these flaws being leveraged by attackers in the wild, but proof-of-concept (PoC) exploits – including one by Margaritelli – are public.
“From what we’ve gathered, these flaws are not at a level of a Log4Shell or Heartbleed,” Tenable senior staff research engineer Satnam Narang told Help Net Security.
“For organizations that are honing in on these latest vulnerabilities, it’s important to highlight that the flaws that are most impactful and concerning are the known vulnerabilities that continue to be exploited by advanced persistent threat groups with ties to nation states, as well as ransomware affiliates that are pilfering from corporations millions of dollars each year.”