A group of vulnerabilities (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177) within OpenPrinting CUPS (the standard open-source printing system present in most Linux distributions) can be chained to achieve remote code execution by an unauthenticated attacker, potentially leading to complete control of the vulnerable system.
Context & exploitability
On Thursday, September 26th, security researcher evilsocket published a write-up alongside a PoC that was published on a critical severity GNU/Linux unauthenticated RCE affecting the CUPS open-source printing system.
Attackers can execute arbitrary code on a victim’s machine if the cups-browsed service is enabled by advertising a malicious printer (through an IPP server) on a network the victim has access to and getting the victim to run a print job from the affected device.
Am I vulnerable?
Detectify security researchers and engineers are actively working on developing and releasing a security test within the next hours to help customers detect whether they are vulnerable.
Detectify customers can also use the Domains page to apply a CUPS & IPP filter and check whether port 631 is open on any of their domains. Although findings should be investigated, these are TCP ports and the exploit is mainly affecting UDP ports. Stay tuned for the new security test for a more cohesive assessment.
Vulnerabilities discovered
The following four CVEs were assigned to CUPS vulnerabilities linked with this attack. When chained, attackers can potentially execute RCE (remote code execution):
- CVE-2024-47176. cups-browsed trusts all incoming network packets, enabling attackers to introduce malicious printers to the system. Particularly concerning as it can be exploited from the public internet (attacker controlled URL) potentially exposing a vast number of systems to remote attacks if their CUP services are enabled.
- CVE-2024-47076. The function cfGetPrinterAttributes5 in the libcupsfilters library fails to sanitize IPP attributes received from an IPP server, potentially allowing attackers to introduce harmful data when these attributes are used.
- CVE-2024-47175. The function ppdCreatePPDFromIPP2 in the libppd library fails to sanitize IPP attributes, potentially allowing attackers to inject malicious code into the system.
- CVE-2024-47177. The entry FoomaticRIPCommandLine in the cups-filters library can trigger CUPS to execute any arbitrary commands injected into that file when a print job is sent to the affected device.
Remediation
Until patches are released, Detectify recommends the following mitigation steps for this issue:
- Disable and remove the cups-browsed service if you don’t need it.
"sudo systemctl stop cups-browsed""sudo systemctl disable cups-browsed" - Update the CUPS package on your systems.
- Block incoming traffic on port 631/tcp and port 631/udp, as well as DNS-SD traffic.
We will release the new security test as soon as it’s ready. Customers can always find updates in the “What’s New at Detectify” product log. Any questions can be directed to Customer Success representatives or Support. If you’re not already a customer, click here to sign up for a demo or a free trial and immediately start scanning. Go hack yourself!