Threat Research Report Team

New CUPS Vulnerability Detected: Remote Code Execution in Linux

Written by Uptycs Threat Research | Sep 27, 2024 3:37:19 PM

 

Introduction

CUPS (Common UNIX Printing System) is the most widely used IPP-based open-source printing system on Linux systems, and it is also generally supported on devices running Unix-like operating systems such as FreeBSD, NetBSD, and OpenBSD and their derivatives. One of its components is the cups-browsed daemon, which searches the local network for advertised network or shared printers and makes them available for printing on the machine. This process opens up a potential CUPS vulnerability, including remote code execution risks, which we'll explore.

On September 26, 2024, an unauthenticated remote code execution exploit chain was disclosed by the security researcher Simone Margaritelli in his blog. The vulnerabilities associated with the exploit chain are tracked as Package-name – libcupsfilters (libcupsfilters), CVE-2024-47175 (libppd), CVE-2024-47176 (cups-browsed) and CVE-2024-47177 (cups-filters).

 

 

Vulnerability Details

If the cups-browsed daemon is enabled on a host, it will listen on UDP port 631. It will also, by default, allow remote connections from any device on the network to create a new printer. One could create a malicious PostScript Printer Description (PPD) printer that will be manually advertised to an exposed cups-browsed service running on UDP port 631. This introduces a CUPS vulnerability, as the remote code execution vulnerability, as the remote machine will automatically install the malicious printer and make it available for printing. If the user on the vulnerable system prints to the new printer, the malicious command in the PPD will trigger remote code execution locally on the host.

 

 

Exploitation Conditions

There are some prerequisites to achieve remote code execution even if there is a vulnerable machine present in the network. The following are the conditions:

  1. Victim machine must have the cups-browsed daemon enabled. It is disabled by default.
  2. UDP port 631 exposed on the network.
  3. Once the attacker runs the exploit remotely, a malicious printer is advertised on the victim machine.
  4. The victim would have to manually send a document for printing to the malicious print server hosted by the attacker. If these conditions are met, remote code execution can occur on the target machine.

CVE-2024-47176

Package-name – cups-browsed

Description: Binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker-controlled URL, leading to potential remote code execution.

CVE-2024-47076

Package-name – libcupsfilters

Description: cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker-controlled data to the rest of the CUPS system, potentially resulting in remote code execution.

CVE-2024-47175

Package-name – libppd and cups

Description: ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker controlled data in the resulting PPD, opening up the risk of remote code execution.

CVE-2024-47177

Package-name – cups-filters

Description: foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter, which can also be used to achieve remote code execution.

 

Threat Indicators

Uptycs Vulnerability Scan detects these vulnerabilities, including potential remote code execution exploits related to CUPS vulnerability. The affected hosts can be checked by navigating to the Uptycs Dashboard in the trending vulnerabilities list.

To identify the hosts that have active CUPS service running. Please use the following Query:

 

 

Patches

The patches are not yet released. However, it is crucial to monitor for updates, as remote code execution remains a significant concern until the vulnerabilities are resolved.

 

 

Mitigations

RedHat has mentioned the following two steps as mitigation in case printing is not required.

1. To stop a running cups-browsed service, an administrator should use the following command:

2. The cups-browsed service can also be prevented from starting on reboot with:

 

 

Addressing CUPS Vulnerabilities and Mitigation Strategies

The discovery of this CUPS vulnerability rooted in remote code execution emphasizes the need for system administrators to take immediate steps to secure Linux-based environments. While official patches are still pending, it is essential for administrators to be aware of these threats and act swiftly to minimize potential damage.

Applying mitigation measures, such as disabling the cups-browsed service when printing is not required, is a prudent approach. Additionally, leveraging tools like Uptycs for regular vulnerability scans can help detect and address any exposed systems.