Beneath sure situations, attackers can chain a set of vulnerabilities in a number of parts of the CUPS open-source printing system to execute arbitrary code remotely on weak machines.
Tracked as CVE-2024-47076 (libcupsfilters), CVE-2024-47175 (libppd), CVE-2024-47176 (cups-browsed) and CVE-2024-47177 (cups-filters) and found by Simone Margaritelli, these safety flaws do not have an effect on techniques of their default configuration.
CUPS (brief for Widespread UNIX Printing System) is essentially the most extensively used printing system on Linux techniques, and additionally it is typically supported on gadgets operating Unix-like working techniques akin to FreeBSD, NetBSD, and OpenBSD and their derivates.
One in all its parts is the cups-browsed daemon, which searches the native community for marketed community or shared printers and makes them obtainable for printing on the machine. That is just like how Home windows and Macs can search the community for distant community printers to print to.
Margaritelli discovered that if the cups-browsed daemon is enabled, which isn’t on most techniques, it’ll hear on UDP port 631. It would additionally, by default, enable distant connections from any machine on the community to create a brand new printer.
He found he may create a malicious PostScript Printer Description (PPD) printer that may very well be manually marketed to an uncovered cups-browsed service operating on UDP port 631.
This causes the distant machine to mechanically set up the malicious printer and make it obtainable for printing. If the person on that uncovered server prints to the brand new printer, the malicious command within the PPD can be executed domestically on the pc.
The command to execute when printing is added by means of a foomatic-rip filter, which executes instructions on a tool so {that a} print job is rendered appropriately.
Restricted world impression
Whereas it is a distant code execution chain, it must be famous from the beginning that attackers should overcome some obstacles to take advantage of the vulnerabilities and truly obtain distant code execution.
The primary is that the focused techniques should have the cups-browsed daemon enabled, which is normally not enabled by default, to reveal their UDP ports on a community. Then, the attacker has to trick a person into printing from a malicious printer server on their native community that out of the blue seems on their machine.
“It’s a chain of bugs that depend on spoofing a printer in your native community that’s mechanically added through community discovery whether it is turned on in any respect – normally not in its default configuration. Then an unverified variable that’s used to take advantage of different vulnerabilities within the CUPS system to execute code, however solely when a print job is triggered,” stated Ilkka Turunen, Area CTO at Sonatype.
“Excellent news then – it’s an RCE however with a number of mitigations, together with the very fact the attacker wants to have the ability to hook up with a pc through UDP which is extensively disabled on community ingress and the service is normally not on by default. It looks as if the true world impression is low.”
For these causes, Purple Hat has rated the failings as having an “Essential” severity impression as a substitute of important.
Whereas BleepingComputer’s checks confirmed that almost all of our Linux servers didn’t have the service enabled by default, one in every of our Ubuntu VMs did. Others have additionally famous on Twitter that cups-browsed was enabled by default on their Linux gadgets.
No patches, however mitigation measures can be found
Whereas patches are nonetheless in improvement, Purple Hat shared mitigation measures requiring admins to cease the cups-browsed service from operating and forestall it from being began on reboot utilizing the next instructions to interrupt the exploit chain:
sudo systemctl cease cups-browsed
sudo systemctl disable cups-browsed
Purple Hat customers also can use the next command to search out out if cups-browsed is operating on their techniques:
sudo systemctl standing cups-browsed
If the end result shows “Lively: inactive (useless),” then the exploit chain is halted, and the system will not be weak. If the end result exhibits “operating” or “enabled,” and the “BrowseRemoteProtocols” directive comprises the worth “cups” within the configuration file /and so forth/cups/cups-browsed.conf, then the system is weak.
