A severe remote code execution (RCE) vulnerability has been uncovered by Simone Margaritelli in the Common Unix Printing System (CUPS), affecting all GNU/Linux systems.
Simone Margaritelli earlier notified about the unauthenticated RCE flaw that impacting all GNU/Linux systems, now he revealed the technical details.
The flaw, which includes four distinct CVEs (CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177), allows unauthenticated attackers to execute arbitrary commands on vulnerable systems, posing a significant threat to network security.
“From a generic security point of view, a whole Linux system as it is nowadays is just an endless and hopeless mess of security holes waiting to be exploited.”
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration
A security researcher discovered the vulnerability and detailed the findings in a comprehensive write-up. The researcher identified several critical issues in the CUPS system, including:
- CVE-2024-47176: The
cups-browsedservice binds to UDP port 631, trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker-controlled URL. - CVE-2024-47076: The
libcupsfilterslibrary does not validate or sanitize IPP attributes returned from an IPP server, providing attacker-controlled data to the rest of the CUPS system. - CVE-2024-47175: The
libppdlibrary does not validate or sanitize IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker-controlled data in the resulting PPD. - CVE-2024-47177: The
cups-filterspackage allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter.
Margaritelli demonstrated how these vulnerabilities can be exploited to achieve remote code execution on a fully patched Ubuntu 24.04.1 LTS system running cups-browsed 2.0.1.
A remote, unauthenticated attacker can silently replace existing printers’ (or install new ones) IPP URLs with a malicious one, resulting in arbitrary command execution on the computer when a print job is started.
The vulnerabilities can be exploited through WAN/public internet by sending an UDP packet to port 631 and through LAN by spoofing zeroconf/mDNS/DNS-SD advertisements
Margaritelli scanned the entire public internet IPv4 ranges and received back connections from hundreds of thousands of devices, highlighting the widespread exposure of systems to these vulnerabilities.
According to Shodan, a good 73k CUPS Servers exposed, which accepts a custom packet from any untrusted source via UDP port 631.
The vulnerabilities affect most GNU/Linux distributions, some BSDs, Google Chromium/ChromeOS, Oracle Solaris, and possibly more systems where CUPS and specifically cups-browsed are packaged
The vulnerabilities have been reported to the OpenPrinting project, and some fixes have been pushed, but the researcher expressed frustration with the responsible disclosure process, citing delays and dismissiveness from the developers.
The severity of the vulnerability is underscored by the initial CVSS score of 9.9, estimated by a Red Hat engineer.
While the researcher acknowledges that the impact may not warrant a 9.9 score, the ease of exploitation and widespread presence of the vulnerable package makes it a critical issue.
Recommendations
- Disable and remove the
cups-browsedservice - Update the CUPS package in security updates
- If unable to update, block UDP port 631
- Also, consider blocking off DNS-SD, too
In light of these findings, users are advised to disable and remove the cups-browsed service if not needed, update the CUPS package on their systems, and block all traffic to UDP port 631 and DNS-SD traffic.
Margaritelli also recommends removing all CUPS services, binaries, and libraries from systems and avoiding the use of zeroconf/avahi/bonjour listeners.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try It for Free