Insights

Linux RCE – Critical Vulnerability (CVE9.9) in CUPS – Security Awareness Messaging

An inadvertent data leak from a GitHub push update identified an RCE in the Linux Common Unix Printing System (CUPS) service, as an unauthenticated Remote Code Execution vulnerability with a CVE score of 9.9.

The vulnerabilities:

  • CVE-2024-47176 | cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker controlled URL.
  • CVE-2024-47076 | libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker controlled data to the rest of the CUPS system.
  • CVE-2024-47175 | libppd <= 2.1b1 ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker controlled data in the resulting PPD.
  • CVE-2024-47177 | cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter.

CUPS and cups-browsed (a service responsible for discovering new printers and automatically adding them to the system) ship with many versions of UNIX, including most GNU/Linux distributions, but can also be installed in BSD, Oracle Solaris, and even Google’s Chrome OS.

Essentially the vulnerability permits an unauthenticated attacker who can reach the CUPS service port (UDP 631) to replace  or install new printers with a malicious IPP urls without generating alerting. This can result in arbitrary command execution on an attacked computer which starts a print job.

UDP port 631, if exposed to the internet and belonging to an operating system running the affected CUPS service requires no authentication making this particularly impactful, however an adversary who has established a foothold within a network can achieve a similar results.

Recommendation:

In terms of hardening against the vulnerability, removing cups-browsed if it is not needed is probably the easiest solution, failing that ensure that the CUPS package is updated on affected systems, and if it cannot be updated, then use firewalling to ensure only trusted hosts can connect to UDP port 631. 

Further information can be found:

Attacking UNIX Systems via CUPS, Part I (evilsocket.net)

https://github.com/OpenPrinting/cups-browsed/issues/36

About the author

Prism Social Icon
Prism Infosec
Prism Infosec’s innovative approach to the delivery of PCI projects and technical security testing was recognised with a PCI Award for Technical Excellence in January 2020. The award was presented for the delivery of a client project that was considered by the review panel to be an outstanding example of best practice.
the-cyber-scheme
pci
Crest
cbest
CHECK Penetration Testing (Dark Logo)
Cyber Incident Exercising

Experiencing a security breach?
Contact the cyber security experts now