Critical CUPS Vulnerabilities Expose Linux and Other Systems to Remote Attacks
In a significant development for cybersecurity, multiple critical vulnerabilities have been discovered in CUPS (Common Unix Printing System), a widely used print server on Linux systems and other platforms like BSDs, Oracle Solaris, and Google Chrome OS. Security researcher Simone Margaritelli unearthed these flaws and provided a comprehensive write-up detailing their potential impact.
Detailed Breakdown of the CVEs
Margaritelli summarized the core issue in his blog post:
“A remote unauthenticated attacker can silently replace existing printers’ (or install new ones) IPP URLs with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer).”
The vulnerabilities do not affect the Linux kernel itself but target components of the CUPS system. The assigned CVEs are:
- CVE-2024-47176This vulnerability exists in cups-browsed (up to version 2.0.1). The cups-browsed daemon listens for UDP packets on port 631 and uses DNS service discovery to automatically find printers, making them available to users. The flaw lies in improper validation of URLs received during printer discovery. Attackers can exploit this to trick cups-browsed into requesting arbitrary URLs.
- CVE-2024-47076Found in libcupsfilters (up to version 2.1b1), this vulnerability relates to how the library handles file conversions to make them printable on specific printers. Similar to the previous issue, it allows attackers to inject malicious data that gets passed to other CUPS components.
- CVE-2024-47175This vulnerability affects libppd (up to version 2.1b1). The library fails to validate IPP attributes and inadvertently adds them to the PPD (PostScript Printer Description) file, which is then used by drivers and other components—potentially leading to further exploitation.
- CVE-2024-47177In cups-filters (version 2.0.1), this flaw allows arbitrary command execution triggered by invalid PPD parameters. The cups-filters component executes external code (“filters”) to convert files. By accepting data from unverified external sources, it opens the door for attackers to execute arbitrary code. Specifically, the “foomatic-rip” filter enables attackers to provide an arbitrary command line.
Additionally, there are “several other bugs that are more or less exploitable,” according to Margaritelli.
The Exploitation Chain
These vulnerabilities can be chained together to achieve remote code execution. The exploitation process involves:
- Enabling cups-browsed: The cups-browsed service must be manually enabled or started on the target system.
- Accessing the Vulnerable Server: An attacker gains access to a vulnerable server by either:
- Unrestricted public internet access, or
- Accessing an internal network where local connections are trusted.
- Advertising a Malicious IPP Server: The attacker advertises a fake IPP server, effectively provisioning a malicious printer.
- Victim Initiates a Print Job: A user attempts to print using the malicious printer.
- Executing Arbitrary Code: The attacker executes arbitrary code on the victim’s machine during the print job initiation.
Notably, this remote code execution can be exploited over the public internet via a UDP packet to port 631 without any authentication, assuming the CUPS port is open through a router or firewall. LAN attacks are also feasible by spoofing zeroconf, mDNS, or DNS-SD advertisements.
Impact and Affected Systems
The vulnerabilities have a broad impact due to the widespread use of CUPS across various platforms. Systems running Linux distributions, certain BSD variants, Oracle Solaris, and Google Chrome OS are all affected. As of now, there is no available fix for Linux systems, making immediate mitigation crucial.
Image: Shodan.io
Image: FOFA
Advisories and all bugs have been published:
- https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8
- https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5
- https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6
- https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47
OpenPrinting has started publishing fixes as well now:
- CVE-2024-47175: https://github.com/OpenPrinting/libppd/commit/d681747ebf
- CVE-2024-47076: https://github.com/OpenPrinting/libcupsfilters/commit/95576ec3
- A temporary workaround for CVE-2024-47176 in: https://github.com/OpenPrinting/cups-browsed/commit/1debe6b140c
Mitigation Strategies
Given the severity of these vulnerabilities, immediate action is recommended:
- Disable cups-browsed: Since cups-browsed is central to the exploitation chain, disabling it can halt potential attacks.
$ sudo systemctl stop cups-browsed
- Prevent cups-browsed from Starting on Reboot:
$ sudo systemctl disable cups-browsed
- Block Traffic to UDP Port 631: If disabling cups-browsed is not feasible, blocking all traffic to UDP port 631 can reduce exposure.
$ sudo iptables -A INPUT -p tcp –dport 631 -j DROP
$ sudo iptables -A INPUT -p udp –dport 631 -j DROP - Update CUPS Components: Keep an eye out for patches and update CUPS and related components as soon as fixes are released.
Detection
To check if your system is vulnerable, verify the status of cups-browsed:
- If the result includes “Active: inactive (dead)”, the exploit chain is halted, and the system is not vulnerable.
- If the service is “running” or “enabled”, and the BrowseRemoteProtocols directive contains the value “cups” in the configuration file /etc/cups/cups-browsed.conf, the system is vulnerable.
Vendor Responses
Red Hat
Red Hat has acknowledged the vulnerabilities, rating them with a severity impact of Important. While all versions of Red Hat Enterprise Linux (RHEL) are affected, the default configuration is not vulnerable. Red Hat advises administrators to disable cups-browsed as a mitigation measure. They are collaborating with the upstream community and the researcher to develop patches.
Palo Alto Networks
In a recent update, Palo Alto Networks confirmed that none of its products are affected by these vulnerabilities, providing some relief for users of their security solutions.
Canonical
Canonical’s security team has issued updates for several CUPS packages, including cups-browsed, cups-filters, libcupsfilters, and libppd, across all supported Ubuntu LTS releases. Upgrading these packages and restarting the CUPS daemon is strongly advised.
If this is not possible, the affected components can be targeted:
The unattended-upgrades feature is enabled by default from Ubuntu 16.04 LTS and onwards. This service:
- Applies new security updates every 24 hours automatically
- If you have this enabled, the patches above will be automatically applied within 24 hours
- However, we still recommend restarting the CUPS daemon using systemctl restart cups.service
Mitigation
- Desktop computers: Removing cups-browsed or disabling network protocols would hinder network printer discovery.
- Print servers: Disabling network printer detection could be a temporary fix, as existing printers remain accessible. However, on Ubuntu, modifying the configuration file could disrupt future automatic updates. We advise against this unless absolutely necessary, and if done, the original configuration should be restored after applying updates.
The following mitigation steps remove a print server’s ability to detect new network printers and stop the injection of the malicious PPD file:
- Edit /etc/cups/cups-browsed.conf
- Search for the BrowseRemoteProtocols configuration option
- Set the option to none (the default value is “dnssd cups”)
- Restart cups-browsed using systemctl restart cups-browsed
