CUPS Vulnerability Allows Unauthenticated RCE on Linux System
Several critical security vulnerabilities have been uncovered in the Common UNIX Printing System (CUPS), a widely used open-source printing system for Unix-like operating systems.
The flaws, which could potentially allow remote code execution under certain conditions, have initially raised alarms in the Linux community and prompted urgent calls for mitigation.
The vulnerabilities tracked as CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177 were discovered by security researcher Simone Margaritelli. These flaws affect various components of the CUPS system, including libcupsfilters
, libppd
, cups-browsed
, and cups-filters
.
The most critical of these vulnerabilities, CVE-2024-47176, allows an unauthenticated attacker to potentially execute arbitrary code on a victim's machine through a chain of exploits.
This vulnerability stems from the cups-browsed daemon, which is responsible for discovering and automatically adding network printers to a system.
According to the research findings, the exploit chain works as follows:
- The cups-browsed service must be manually enabled or started on the target system.
- An attacker gains access to a vulnerable server, either through unrestricted access like the public internet or by compromising an internal network where local connections are trusted.
- The attacker advertises a malicious Internet Printing Protocol (IPP) server, effectively provisioning a rogue printer.
- When a potential victim attempts to print from the malicious device, the attacker can execute arbitrary code on the victim's machine.
It's important to note that while all versions of Red Hat Enterprise Linux (RHEL) are affected by these vulnerabilities, they are not vulnerable in their default configurations. This is because the cups-browsed service is typically not enabled by default on most systems.
Red Hat has rated these issues with a severity impact of "Important" rather than "Critical," citing the specific conditions required for exploitation. However, the potential impact of a successful exploit could be severe, potentially leading to theft of sensitive data or damage to critical production systems.
The discovery of these vulnerabilities has sparked a broader conversation about the security of printing systems in Unix-like environments.
In response to the discovery of these vulnerabilities, Red Hat and other affected parties have released advisories and mitigation measures. The primary recommendation for system administrators is to disable the cups-browsed service if it's not necessary for their operations. This can be done using the following commands:
sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed
For systems that require the cups-browsed service, it's recommended to block all traffic to UDP port 631 and possibly all DNS-SD traffic, though this may be challenging for systems relying on zeroconf networking.
The broader Linux community and various distributions are working on developing and deploying patches to address these vulnerabilities. However, as of the latest reports, no comprehensive fix has been released.
Simone also noted that CERT’s VINCE either has a backdoor or an inside leak. This is because someone on the hacking forum published about the flaw, as it has been shared with CERT VINCE, which includes exploit code, too.
This series of vulnerabilities in CUPS underscores the critical nature of printing systems in modern computing environments and the potential security risks they can pose if not properly secured and maintained.
Join the conversation