A newly disclosed set of security vulnerabilities in the OpenPrinting Common Unix Printing System (CUPS) could allow attackers to execute remote commands under certain conditions, posing a potential threat to Linux systems. These vulnerabilities, reported by security researcher Simone Margaritelli, have the potential to be exploited to compromise printers by redirecting their IPP (Internet Printing Protocol) URLs to malicious ones. This, in turn, could result in arbitrary command execution when a print job is initiated.
CUPS is a widely used, standards-based open-source printing system for Unix-like operating systems, including popular distributions such as ArchLinux, Debian, Fedora, Red Hat Enterprise Linux (RHEL), and others. The vulnerabilities affect a broad range of systems that rely on this printing service.
Key Vulnerabilities:
The list of vulnerabilities includes:
- CVE-2024-47176: This vulnerability exists in cups-browsed (version 2.0.1 and earlier), which binds on UDP INADDR_ANY:631 and trusts packets from any source, triggering a Get-Printer-Attributes IPP request to a malicious URL.
- CVE-2024-47076: Found in libcupsfilters (version 2.1b1 and earlier), this flaw in the
cfGetPrinterAttributes5function does not properly validate or sanitize IPP attributes returned from a server, potentially allowing attacker-controlled data to infiltrate the CUPS system. - CVE-2024-47175: In libppd (version 2.1b1 and earlier), the function
ppdCreatePPDFromIPP2fails to validate IPP attributes, enabling injection of malicious data into temporary PPD files, which are crucial for printer configurations. - CVE-2024-47177: This issue in cups-filters (version 2.0.1 and earlier) allows arbitrary command execution via the
FoomaticRIPCommandLinePPD parameter, a critical point of exploitation for attackers.
Together, these vulnerabilities could be exploited to create a fake printing device on a network, triggering remote code execution when a print job is sent. The attack stems from improper handling of "New Printer Available" announcements in the cups-browsed component, combined with poor validation in CUPS.
Potential Exploitation and Real-World Impact
The exploitation chain enables attackers to install a malicious printer driver on a vulnerable system, which, upon processing a print job, executes malicious code with the privileges of the lp user. Although this does not give the attacker root access, it still poses a significant threat.
Security firm Rapid7 noted that the vulnerabilities are exploitable from the public internet or across network segments only if UDP port 631 is accessible and the vulnerable service is active. Given this condition, systems exposed to the internet, particularly servers, are at higher risk than typical desktop Linux machines.
Mitigations and Patch Status
Patches for these vulnerabilities are currently in development and are expected to be released soon. In the meantime, organizations are advised to disable or remove the cups-browsed service if it is not necessary, and block or restrict traffic to UDP port 631 as a precautionary measure.
Red Hat, in its advisory, has stated that all versions of its operating system are affected but that the vulnerabilities are not exploitable in their default configurations. It categorized these issues as “Important” due to their potential impact but noted that the likelihood of real-world exploitation remains low.
Satnam Narang, senior staff research engineer at Tenable, emphasized that while these vulnerabilities are technically serious, they are not on the same level as critical flaws like Log4Shell or Heartbleed. "These vulnerabilities, while important, are part of the broader landscape of security issues that organizations must manage," Narang said.
Conclusion
While the newly disclosed vulnerabilities in CUPS could potentially allow for remote code execution on Linux systems, they are not expected to lead to widespread attacks. Still, it serves as a reminder of the critical need for regular updates and the timely application of security patches to safeguard against exploitation. For now, organizations are encouraged to disable unnecessary services and enforce strict network controls to mitigate risk until patches are made available.
As cybersecurity experts point out, while these flaws warrant attention, the focus should also remain on addressing known vulnerabilities that are already being actively exploited by threat actors across the globe.
.jpg)
