Discover how a critical CUPS vulnerability exposes Unix systems to remote code execution attacks and learn steps to protect your devices from potential exploits
This Threatfeed is the first in a series exploring vulnerabilities in Unix systems, specifically targeting GNU/Linux systems through the Common Unix Printing System (CUPS). As noted by a contributor to the CUPS project:
"From a generic security point of view, a whole Linux system as it is nowadays is just an endless and hopeless mess of security holes waiting to be exploited."
This statement underscores the critical need to examine and address these vulnerabilities to enhance system security.
Several vulnerabilities have been identified in CUPS and its associated components, which, when combined, allow for remote code execution (RCE) on affected systems:
CVE-2024-47176: cups-browsed
versions ≤ 2.0.1 bind to UDP INADDR_ANY:631
, accepting packets from any source, which can trigger a Get-Printer-Attributes
IPP request to an attacker-controlled URL.
CVE-2024-47076: libcupsfilters
versions ≤ 2.1b1 have a vulnerability where cfGetPrinterAttributes()
does not validate or sanitize IPP attributes returned from an IPP server, allowing attacker-controlled data into the CUPS system.
CVE-2024-47175: libppd
versions ≤ 2.1b1's ppdCreatePPDFromIPP2()
function fails to validate or sanitize IPP attributes when writing them to a temporary PPD file, enabling injection of attacker-controlled data.
CVE-2024-47177: cups-filters
versions ≤ 2.0.1 include foomatic-rip
, which allows arbitrary command execution via the FoomaticRIPCommandLine
PPD parameter.
A remote, unauthenticated attacker can silently replace existing printers or install new ones by manipulating IPP URLs with malicious ones. This manipulation can lead to arbitrary command execution on the target system when a print job is initiated.
The vulnerabilities affect a wide range of Unix-like systems where CUPS and cups-browsed
are installed:
Note: The presence and default status of cups-browsed
may vary across distributions.
cups-browsed
(CVE-2024-47176)cups-browsed
listens on UDP port 631 on all network interfaces (0.0.0.0
), accepting packets from any source.Get-Printer-Attributes
IPP request to an attacker-controlled URL.libcupsfilters
(CVE-2024-47076)cfGetPrinterAttributes5()
does not validate or sanitize IPP attributes received from a server.libppd
(CVE-2024-47175)ppdCreatePPDFromIPP2()
fails to validate or sanitize IPP attributes when writing to a temporary PPD file.foomatic-rip
(CVE-2024-47177)foomatic-rip
filter allows execution of arbitrary commands through the FoomaticRIPCommandLine
parameter in PPD files.foomatic-rip
for printer compatibility, with challenges in restricting its capabilities without breaking functionality.By chaining the identified vulnerabilities, an attacker can:
Trigger a Malicious IPP Request:
cups-browsed
to initiate a connection to an attacker-controlled IPP server.Inject Malicious IPP Attributes:
libcupsfilters
or libppd
.Create Malicious PPD File:
Execute Arbitrary Commands:
foomatic-rip
.Note: User interaction is required (i.e., starting a print job) for the final execution step.
Disable cups-browsed
:
cups-browsed
service:
sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed
Update CUPS Packages:
Network-Level Mitigation:
Audit Installed Packages:
Implement Access Controls:
cups-browsed
to restrict allowed sources by editing /etc/cups/cups-browsed.conf
.Monitor for Updates:
The vulnerabilities in CUPS and its associated components present a significant security risk to Unix-like systems. Exploitation can lead to remote code execution with minimal attacker effort and no initial authentication. It is crucial for system administrators and users to take immediate action to mitigate these risks.
The process of responsibly disclosing these vulnerabilities highlighted challenges in communication and prioritization between security researchers and software maintainers. Efficient collaboration is essential to address security issues promptly and effectively.
The continued use of legacy components like foomatic-rip
poses security challenges due to their inherent vulnerabilities and the difficulty in restricting their capabilities without impacting functionality.
Further analysis is being conducted on related vulnerabilities, including potential exploitation on other operating systems such as macOS. Subsequent write-ups will provide additional details.