Significant Linux CUPS Printing System Weaknesses That Might Enable Remote Command Execution

Sep 27, 2024Ravie LakshmananLinux / Security Breach

A recent collection of security vulnerabilities has been revealed in the OpenPrinting Common Unix Printing System (CUPS) on Linux systems that might allow for remote command execution in specific scenarios.

Security researcher Simone Margaritelli mentioned that “An external unauthenticated attacker has the ability to discreetly swap out existing printers’ (or set up new ones) IPP urls with a malicious one, leading to arbitrary command execution (on the computer) when a print job is initiated (from that computer).”

CUPS is a standards-based, unrestricted open-source printing system designed for Linux and other Unix-like operating systems, including ArchLinux, Debian, Fedora, Red Hat Enterprise Linux (RHEL), ChromeOS, FreeBSD, NetBSD, OpenBSD, openSUSE, and SUSE Linux.

The list of weaknesses includes the following:

• CVE-2024-47176 – cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker-controlled URL
• CVE-2024-47076 – libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker-controlled data to the rest of the CUPS system
• CVE-2024-47175 – libppd <= 2.1b1 ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker-controlled data in the resulting PPD
• CVE-2024-47177 – cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter

One significant consequence of these deficiencies is that they could potentially be utilized in an exploit chain that enables an attacker to create a deceitful, counterfeit printing device on a network-accessible Linux system running CUPS and trigger remote code execution upon sending a print job.

According to network security company Ontinue, “The problem arises due to inadequate handling of ‘New Printer Available’ announcements in the ‘cups-browsed’ component, combined with insufficient validation by ‘cups’ of the information supplied by a malevolent printing resource,” as it was elaborated.

“The vulnerability results from subpar validation of network data, granting attackers the ability to convince the vulnerable system to install a malevolent printer driver, and subsequently send a print job to that driver triggering the execution of the harmful code. The executed malicious code functions with the privileges of the lp user – not the all-powerful ‘root.'”

RHEL mentioned in an advisory that all versions of the operating system are impacted by the four flaws but clarified that in their default configuration, they are not vulnerable. They classified the issues as Significant in severity, considering that the actual impact in practice is expected to be minimal.

According to Red Hat’s statement, “By chaining these vulnerabilities together, an attacker could potentially accomplish remote code execution, leading to potential theft of confidential data and/or disruption to crucial production systems.”

Cybersecurity company Rapid7 highlighted that affected systems are exploitable, either from the public internet or across network segments, solely if UDP port 631 is accessible and the vulnerable service is actively listening.

Palo Alto Networks stated that none of its products and cloud services include the mentioned CUPS-related software packages, and thus are not impacted by the vulnerabilities.

Patches for the vulnerabilities are currently in progress and are anticipated to be rolled out shortly. In the meantime, it is recommended to deactivate and uninstall the cups-browsed service if it is not essential and to block or limit traffic to UDP port 631.

“It seems that the unreleased Linux unauth RCE vulnerabilities that have been publicized as cataclysmic for Linux systems, might affect only a subset of systems,” stated Benjamin Harris, CEO of WatchTowr, in a statement shared with The Hacker News.

“Given this, while the vulnerabilities in terms of technical impact are serious, it is significantly less likely that desktop machines/workstations running CUPS are exposed to the Internet in the same manner or numbers that typical server editions of Linux would be.”

Satnam Narang, senior staff research engineer at Tenable, expressed that these vulnerabilities do not reach the severity level of a Log4Shell or Heartbleed.

“The truth is, there are innumerable vulnerabilities yet to be discovered and disclosed across various software solutions, whether open source or proprietary,” Narang commented. “Security research is an indispensable aspect of this process, and we can and should demand better from software providers.”

“For organizations focusing on these latest vulnerabilities, it’s crucial to emphasize that the vulnerabilities causing the most substantial impact and worry are the known vulnerabilities that continue to be exploited by sophisticated threat groups associated with sovereign nations, as well as ransomware affiliates targeting corporations for substantial financial gains annually.”