Recent security vulnerabilities have been uncovered in the OpenPrinting Common Unix Printing System (CUPS) on Linux distributions. These vulnerabilities have the potential to enable remote command execution under specific circumstances.
“A remote unauthenticated attacker could surreptitiously substitute existing printer IPP URLs with a malicious one, leading to the execution of arbitrary commands on the computer when a print job is initiated from that device,” noted security analyst Simone Margaritelli explained.
CUPS is a standards-compliant, open-source printing system designed for Linux and other Unix-like platforms such as ArchLinux, Debian, Fedora, Red Hat Enterprise Linux (RHEL), ChromeOS, FreeBSD, NetBSD, OpenBSD, openSUSE, and SUSE Linux.
The catalogue of exploitable flaws is as follows –
- CVE-2024-47176 – cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker-controlled URL
- CVE-2024-47076 – libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker-controlled data to the rest of the CUPS system
- CVE-2024-47175 – libppd <= 2.1b1 ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker-controlled data in the resulting PPD
- CVE-2024-47177 – cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter
These deficiencies can potentially be concatenated into an exploit chain that permits an attacker to fabricate a malicious counterfeit printing device on a network-accessible Linux system running CUPS, thereby triggering remote code execution upon sending a print task.
“The root cause lies in the mishandling of ‘New Printer Available’ announcements in the ‘cups-browsed’ component, coupled with inadequate validation by ‘cups’ of the data supplied by a malevolent printing source,” remarked network security specialist, Ontinue stated.
“The vulnerability originates from insufficient validation of network input, enabling threat actors to coerce the vulnerable system to set up a rogue printer driver and then dispatch a print job to that driver, thereby triggering the execution of malign code. The malign code is run with the permissions of the lp user – not the privileged ‘root’ user.”
RHEL, in an announcement, mentioned that all versions of the operating system are impacted by the four vulnerabilities, but clarified that they are not exposed in the default configuration. They categorized the issues as Important in severity, considering that the practical impact is likely to be minimal.
“By linking this series of vulnerabilities together, an attacker might potentially accomplish remote code execution that could subsequently result in the theft of confidential data and/or harm to critical production systems,” it expressed.
Cybersecurity company Rapid7 highlighted that susceptible systems can be exploited, whether from the public internet or between network segments, provided UDP port 631 is reachable, and the vulnerable service is active.
Palo Alto Networks has revealed that its products and cloud services do not feature the aforementioned CUPS-related software packages, hence remain unaffected by the vulnerabilities.
Remedies for these vulnerabilities are presently in progress and are anticipated to be rolled out in the upcoming days. In the interim, it is advisable to deactivate and uninstall the cups-browsed service if it’s unnecessary and to block or limit traffic to UDP port 631.
“It appears that the confidential Linux unauthenticated RCE vulnerabilities, hyped as catastrophic for Linux systems, may exclusively impact a subset of systems,” noted Benjamin Harris, CEO of WatchTowr, as shared in a statement with The Hacker News.
“Considering this, while the technical impact of these vulnerabilities is substantial, it is considerably less probable that desktop computers/workstations utilizing CUPS are exposed to the internet in the same manner or volume as typical server editions of Linux would be.”
Satnam Narang, senior staff research engineer at Tenable, mentioned that these vulnerabilities do not equate to a Log4Shell or Heartbleed magnitude.
“The truth is that numerous vulnerabilities, whether in open-source or proprietary software, are yet to be uncovered and disclosed,” Narang emphasized. “Security research plays a crucial role in this process, and we need to demand better from software vendors.”
“For entities focusing on these latest vulnerabilities, it’s crucial to emphasize that the most impactful and troubling flaws are the known vulnerabilities persistently exploited by sophisticated threat groups associated with nation states, as well as ransomware actors extorting corporations for millions of dollars annually.”
About Author
