CUPS (Common UNIX Printing System) is the most widely used IPP-based open-source printing system on Linux systems, and it is also generally supported on devices running Unix-like operating systems such as FreeBSD, NetBSD, and OpenBSD and their derivatives. One of its components is the cups-browsed daemon, which searches the local network for advertised network or shared printers and makes them available for printing on the machine. This process opens up a potential CUPS vulnerability, including remote code execution risks, which we'll explore.
On September 26, 2024, an unauthenticated remote code execution exploit chain was disclosed by the security researcher Simone Margaritelli in his blog. The vulnerabilities associated with the exploit chain are tracked as Package-name – libcupsfilters (libcupsfilters), CVE-2024-47175 (libppd), CVE-2024-47176 (cups-browsed) and CVE-2024-47177 (cups-filters).
If the cups-browsed daemon is enabled on a host, it will listen on UDP port 631. It will also, by default, allow remote connections from any device on the network to create a new printer. One could create a malicious PostScript Printer Description (PPD) printer that will be manually advertised to an exposed cups-browsed service running on UDP port 631. This introduces a CUPS vulnerability, as the remote code execution vulnerability, as the remote machine will automatically install the malicious printer and make it available for printing. If the user on the vulnerable system prints to the new printer, the malicious command in the PPD will trigger remote code execution locally on the host.
There are some prerequisites to achieve remote code execution even if there is a vulnerable machine present in the network. The following are the conditions:
Package-name – cups-browsed
Description: Binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker-controlled URL, leading to potential remote code execution.
Package-name – libcupsfilters
Description: cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker-controlled data to the rest of the CUPS system, potentially resulting in remote code execution.
Package-name – libppd and cups
Description: ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker controlled data in the resulting PPD, opening up the risk of remote code execution.
Package-name – cups-filters
Description: foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter, which can also be used to achieve remote code execution.
Uptycs Vulnerability Scan detects these vulnerabilities, including potential remote code execution exploits related to CUPS vulnerability. The affected hosts can be checked by navigating to the Uptycs Dashboard in the trending vulnerabilities list.
To identify the hosts that have active CUPS service running. Please use the following Query:
The patches are not yet released. However, it is crucial to monitor for updates, as remote code execution remains a significant concern until the vulnerabilities are resolved.
RedHat has mentioned the following two steps as mitigation in case printing is not required.
1. To stop a running cups-browsed service, an administrator should use the following command:2. The cups-browsed service can also be prevented from starting on reboot with:
The discovery of this CUPS vulnerability rooted in remote code execution emphasizes the need for system administrators to take immediate steps to secure Linux-based environments. While official patches are still pending, it is essential for administrators to be aware of these threats and act swiftly to minimize potential damage.
Applying mitigation measures, such as disabling the cups-browsed service when printing is not required, is a prudent approach. Additionally, leveraging tools like Uptycs for regular vulnerability scans can help detect and address any exposed systems.