A set of serious security vulnerabilities has emerged in the OpenPrinting Common Unix Printing System (CUPS), potentially allowing for remote command execution on Linux systems under specific circumstances. Security researcher Simone Margaritelli detailed that an unauthenticated remote attacker could exploit these vulnerabilities to alter or install printer IPP URLs, which could lead to arbitrary command execution when a print job is initiated from the affected system.
CUPS, an open-source and standards-compliant printing framework, is essential for various Linux and Unix-like distributions, including ArchLinux, Debian, Fedora, Red Hat Enterprise Linux (RHEL), and others. The newly disclosed vulnerabilities present significant risks, as they could be used to create exploits leveraging a fraudulent printer on any network-accessible Linux system running CUPS.
The identified vulnerabilities include a range of issues in components such as cups-browsed, libcupsfilters, libppd, and cups-filters. Notable examples are CVE-2024-47176, which describes a situation where cups-browsed can receive unverified packets from any source, and CVE-2024-47076, where libcupsfilters does not validate IPP attributes from servers, offering a pathway for attackers to inject malicious data into the CUPS system. Each of these issues contributes to a wider exploit chain that attackers might leverage to execute malicious code remotely.
According to network security company Ontinue, these vulnerabilities stem from inadequate validation of incoming network data, permitting attackers to trick the system into installing a malicious printer driver and executing harmful code under the context of the lp user—albeit not as the superuser ‘root.’
In response to the issue, RHEL noted in an advisory that while all versions of its operating system have been affected, the vulnerabilities do not pose a risk under default configurations. Nevertheless, the situation is serious enough to warrant an “Important” severity designation, given that their real-world impact is deemed to be relatively low.
Exploitation is possible mainly when UDP port 631 is accessible and the vulnerable CUPS service is actively listening, according to cybersecurity firm Rapid7. However, notably, many organizations running CUPS are likely to have protective measures in place, limiting exposure to these risks. Palo Alto Networks has also reported that none of its products incorporate the affected versions of CUPS, thereby remaining unimpacted by these vulnerabilities.
Patching efforts are reportedly in progress, with fixes anticipated soon. In the interim, organizations are advised to deactivate the cups-browsed service where it is unnecessary and to implement network restrictions on UDP port 631 to mitigate potential exploits.
Furthermore, Akamai’s research highlights that an estimated 75,000 devices globally are exposing CUPS services to the internet, with significant occurrences reported in South Korea, the United States, Hong Kong, Germany, and China. This exposure presents a concerning landscape, given the easy steps an attacker could take for exploitation.
In an effort to assist organizations in assessing their vulnerabilities, security researcher Marcus Hutchins has provided an automated scanner on GitHub aimed at identifying devices susceptible to CVE-2024-47176. Given the complexities surrounding these attacks, organizations must remain vigilant and proactive in their security approaches.
