Underneath sure situations, attackers can chain a set of vulnerabilities in a number of elements of the CUPS open-source printing system to execute arbitrary code remotely on weak machines.
Tracked as CVE-2024-47076 (libcupsfilters), CVE-2024-47175 (libppd), CVE-2024-47176 (cups-browsed) and CVE-2024-47177 (cups-filters) and found by Simone Margaritelli, these safety flaws do not have an effect on methods of their default configuration.
CUPS (quick for Widespread UNIX Printing System) is probably the most extensively used printing system on Linux methods, and it’s also usually supported on gadgets operating Unix-like working methods corresponding to FreeBSD, NetBSD, and OpenBSD and their derivates.
Considered one of its elements is the cups-browsed daemon, which searches the native community for marketed community or shared printers and makes them accessible for printing on the machine. That is just like how Home windows and Macs can search the community for distant community printers to print to.
Margaritelli discovered that if the cups-browsed daemon is enabled, which isn’t on most methods, it is going to pay attention on UDP port 631. It’ll additionally, by default, permit distant connections from any gadget on the community to create a brand new printer.
He found he might create a malicious PostScript Printer Description (PPD) printer that may very well be manually marketed to an uncovered cups-browsed service operating on UDP port 631.
This causes the distant machine to robotically set up the malicious printer and make it accessible for printing. If the consumer on that uncovered server prints to the brand new printer, the malicious command within the PPD will probably be executed regionally on the pc.
The command to execute when printing is added by means of a foomatic-rip filter, which executes instructions on a tool so {that a} print job is rendered accurately.
Restricted world impression
Whereas this can be a distant code execution chain, it needs to be famous from the beginning that attackers should overcome some obstacles to take advantage of the vulnerabilities and truly obtain distant code execution.
The primary is that the focused methods should have the cups-browsed daemon enabled, which is normally not enabled by default, to reveal their UDP ports on a community. Then, the attacker has to trick a consumer into printing from a malicious printer server on their native community that out of the blue seems on their machine.
“It’s a chain of bugs that depend on spoofing a printer in your native community that’s robotically added by way of community discovery whether it is turned on in any respect – normally not in its default configuration. Then an unverified variable that’s used to take advantage of different vulnerabilities within the CUPS system to execute code, however solely when a print job is triggered,” mentioned Ilkka Turunen, Subject CTO at Sonatype.
“Excellent news then – it’s an RCE however with a number of mitigations, together with the actual fact the attacker wants to have the ability to connect with a pc by way of UDP which is extensively disabled on community ingress and the service is normally not on by default. It looks as if the true world impression is low.”
For these causes, Pink Hat has rated the failings as having an “Necessary” severity impression as a substitute of crucial.
Whereas BleepingComputer’s exams confirmed that almost all of our Linux servers didn’t have the service enabled by default, one in all our Ubuntu VMs did. Others have additionally famous on Twitter that cups-browsed was enabled by default on their Linux gadgets.
No patches, however mitigation measures can be found
Whereas patches are nonetheless in growth, Pink Hat shared mitigation measures requiring admins to cease the cups-browsed service from operating and forestall it from being began on reboot utilizing the next instructions to interrupt the exploit chain:
sudo systemctl cease cups-browsed
sudo systemctl disable cups-browsedPink Hat customers also can use the next command to search out out if cups-browsed is operating on their methods:
sudo systemctl standing cups-browsedIf the outcome shows “Lively: inactive (useless),” then the exploit chain is halted, and the system will not be weak. If the outcome exhibits “operating” or “enabled,” and the “BrowseRemoteProtocols” directive comprises the worth “cups” within the configuration file /and many others/cups/cups-browsed.conf, then the system is weak.