Critical CUPS Vulnerability Exposes Unix Systems to Remote Attacks

Discover how a critical CUPS vulnerability exposes Unix systems to remote code execution attacks and learn steps to protect your devices from potential exploits

27-Sep-2024

6 min read

This Threatfeed is the first in a series exploring vulnerabilities in Unix systems, specifically targeting GNU/Linux systems through the Common Unix Printing System (CUPS). As noted by a contributor to the CUPS project:

"From a generic security point of view, a whole Linux system as it is nowadays is just an endless and hopeless mess of security holes waiting to be exploited."

This statement underscores the critical need to examine and address these vulnerabilities to enhance system security.

Summary

Several vulnerabilities have been identified in CUPS and its associated components, which, when combined, allow for remote code execution (RCE) on affected systems:

CVE-2024-47176: cups-browsed versions ≤ 2.0.1 bind to UDP INADDR_ANY:631, accepting packets from any source, which can trigger a Get-Printer-Attributes IPP request to an attacker-controlled URL.
CVE-2024-47076: libcupsfilters versions ≤ 2.1b1 have a vulnerability where cfGetPrinterAttributes() does not validate or sanitize IPP attributes returned from an IPP server, allowing attacker-controlled data into the CUPS system.
CVE-2024-47175: libppd versions ≤ 2.1b1's ppdCreatePPDFromIPP2() function fails to validate or sanitize IPP attributes when writing them to a temporary PPD file, enabling injection of attacker-controlled data.
CVE-2024-47177: cups-filters versions ≤ 2.0.1 include foomatic-rip, which allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter.

Impact

A remote, unauthenticated attacker can silently replace existing printers or install new ones by manipulating IPP URLs with malicious ones. This manipulation can lead to arbitrary command execution on the target system when a print job is initiated.

Attack Vectors

Public Internet (WAN)

An attacker sends a crafted UDP packet to port 631 on the target system.
No authentication is required.
This vector affects systems directly connected to the internet with port 631 exposed.

Local Network (LAN)

An attacker can spoof Zeroconf, mDNS, or DNS-SD advertisements to achieve the same result.
This method will be elaborated in subsequent write-ups focusing on macOS.

Affected Systems

The vulnerabilities affect a wide range of Unix-like systems where CUPS and cups-browsed are installed:

Most GNU/Linux distributions
Some BSD variants
Oracle Solaris
Potentially Google ChromeOS
Other Unix-like operating systems

Note: The presence and default status of cups-browsed may vary across distributions.

Technical Details

Vulnerability in `cups-browsed` (CVE-2024-47176)

Issue: cups-browsed listens on UDP port 631 on all network interfaces (0.0.0.0), accepting packets from any source.
Risk: An attacker can send a specially crafted packet to trigger a Get-Printer-Attributes IPP request to an attacker-controlled URL.
Cause: Lack of source IP address validation due to default configuration allowing all connections.

Lack of Input Validation in `libcupsfilters` (CVE-2024-47076)

Issue: The function cfGetPrinterAttributes5() does not validate or sanitize IPP attributes received from a server.
Risk: Attacker-controlled data can be injected into the CUPS system, potentially leading to malicious activities.
Cause: Insufficient validation of IPP attributes returned from remote servers.

Improper Handling in `libppd` (CVE-2024-47175)

Issue: The function ppdCreatePPDFromIPP2() fails to validate or sanitize IPP attributes when writing to a temporary PPD file.
Risk: Allows injection of malicious directives into PPD files, which can be executed by the system.
Cause: Lack of proper input sanitization when generating PPD files from IPP attributes.

Arbitrary Command Execution via `foomatic-rip` (CVE-2024-47177)

Issue: The foomatic-rip filter allows execution of arbitrary commands through the FoomaticRIPCommandLine parameter in PPD files.
Risk: An attacker can execute commands with the privileges of the CUPS system, potentially leading to full system compromise.
Cause: Historical reliance on foomatic-rip for printer compatibility, with challenges in restricting its capabilities without breaking functionality.

Exploitation Overview

By chaining the identified vulnerabilities, an attacker can:

Trigger a Malicious IPP Request:
- Send a crafted UDP packet to UDP port 631, causing cups-browsed to initiate a connection to an attacker-controlled IPP server.
Inject Malicious IPP Attributes:
- The attacker's IPP server responds with malicious attributes that are not validated by libcupsfilters or libppd.
Create Malicious PPD File:
- The system generates a PPD file containing injected directives, including potentially harmful commands.
Execute Arbitrary Commands:
- When a user initiates a print job, the CUPS system processes the PPD file, executing the injected commands via foomatic-rip.

Note: User interaction is required (i.e., starting a print job) for the final execution step.

Remediation

Immediate Actions

Disable cups-browsed:
- If not required, stop and disable the cups-browsed service:
```
sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed
```
Update CUPS Packages:
- Apply security updates from your distribution's repositories as they become available.
Network-Level Mitigation:
- Block incoming traffic on UDP port 631 at the firewall level.
- Consider restricting or disabling Zeroconf, mDNS, and DNS-SD services if not in use.

Long-Term Recommendations

Audit Installed Packages:
- Remove unnecessary printing services and related packages if printing functionality is not required.
Implement Access Controls:
- Configure cups-browsed to restrict allowed sources by editing /etc/cups/cups-browsed.conf.
Monitor for Updates:
- Stay informed about security advisories related to CUPS and associated libraries.

The vulnerabilities in CUPS and its associated components present a significant security risk to Unix-like systems. Exploitation can lead to remote code execution with minimal attacker effort and no initial authentication. It is crucial for system administrators and users to take immediate action to mitigate these risks.

Additional Considerations

Responsible Disclosure Challenges

The process of responsibly disclosing these vulnerabilities highlighted challenges in communication and prioritization between security researchers and software maintainers. Efficient collaboration is essential to address security issues promptly and effectively.

Legacy Components

The continued use of legacy components like foomatic-rip poses security challenges due to their inherent vulnerabilities and the difficulty in restricting their capabilities without impacting functionality.

Future Research

Further analysis is being conducted on related vulnerabilities, including potential exploitation on other operating systems such as macOS. Subsequent write-ups will provide additional details.