Under certain conditions, an attacker could chain a set of vulnerabilities across multiple components of the CUPS open source printing system and remotely execute arbitrary code on a vulnerable machine.
These security flaws are tracked as CVE-2024-47076 (libcupsfilters), CVE-2024-47175 (libppd), CVE-2024-47176 (cups-browsed), and CVE-2024-47177 (cups-filters) and discovered by Simone Margaritelli. Default configured systems are not affected.
CUPS (short for Common UNIX Printing System) is the most widely used printing system on Linux systems and is also commonly supported on devices running Unix-like operating systems such as FreeBSD, NetBSD, OpenBSD, and their derivatives.
One of its components is the cups-browsed daemon. It searches your local network for advertised network or shared printers and allows you to print to them on your machine. This is similar to how Windows and Macs search the network for remote network printers to print to.
Margaritelli discovered that when the cups-browsed daemon is enabled (which it is not on most systems), it listens on UDP port 631. Also, by default, creation of new printers by remote connection from any device on the network is allowed.
He discovered that it was possible to create a malicious PostScript Printer description (PPD) printer that could be manually advertised to an exposed cup browsing service running on UDP port 631.
This will automatically install a malicious printer on the remote machine and allow it to print. When a user on the published server prints to a new printer, the malicious command in the PPD is executed locally on the computer.
Commands to run when printing are added through the foomatic-rip filter, which runs commands on the device to ensure that the print job is rendered correctly.
Limited impact on the world
Although this is a remote code execution chain, it is important to note from the outset that an attacker would need to overcome several obstacles to exploit the vulnerability and actually achieve remote code execution.
First, the cups-browsed daemon must be enabled on the target system to expose UDP ports on the network (usually not enabled by default). Next, the attacker must trick the user into printing from a malicious printer server on the local network that suddenly appears on the user’s machine.
“This is a chain of bugs that relies on spoofing printers within the local network, and is automatically added by network discovery if the printer is turned on, which is usually not the default setting. Then other “Unvalidated variables used to exploit the vulnerability execute code within the CUPS system, but only when a print job is triggered,” said Ilkka Turunen, Field CTO at Sonatype. .
“Good news, then. Although this is an RCE, there are some mitigations in place, including the fact that the attacker must be able to connect to the computer via UDP. UDP is widely disabled at network entrances. and the service is typically not turned on by default. Real-world impact is low.”
For these reasons, Red Hat has rated the severity impact of these flaws as Important rather than Critical.
BleepingComputer’s tests showed that most Linux servers do not have the service enabled by default, but one Ubuntu VM did have the service enabled.. Some people also pointed out on Twitter that cup browsing is enabled by default on Linux devices..
There is no patch, but mitigations are available
Patches are still in development, but Red Hat’s shared mitigations allow administrators to break the exploit chain by stopping the cups-browsed service from running and restarting it on reboot using the following command: The service must be prevented from starting.
sudo systemctl stop cup browsing sudo systemctl disable cup browsing
Red Hat users can also check whether cups-browsed is running on their system using the following command:
sudo systemctl status cup browse
If the results show “Active: Inactive (Dead),” the exploit chain has stopped and your system is not vulnerable. If the result shows “running” or “enabled” and the “BrowseRemoteProtocols” directive in the configuration file /etc/cups/cups-browsed.conf contains the value “cups”, your system is vulnerable.