A new set of security vulnerabilities has been discovered in the OpenPrinting Common Unix Printing System (CUPS) on Linux systems that may allow remote command execution under certain conditions.
“A remote, unauthenticated attacker can silently replace the IPP URL of existing printers (or install new ones) with a malicious one, causing an arbitrary command to be executed (on a computer) when a print job (from that computer) is initiated,” – Security Researcher Simone. Margaritelli said.
CUPS is a standards-based, open-source printing system for Linux and other Unix-like operating systems, including ArchLinux, Debian, Fedora, Red Hat Enterprise Linux (RHEL), ChromeOS, FreeBSD, NetBSD, OpenBSD, openSUSE, and SUSE Linux.
List vulnerabilities is as follows –
- CVE-2024-47176 – cups-browsed <= 2.0.1 binds to UDP INADDR_ANY:631, trusting any packet from any source to make an IPP Get-Printer-Attributes request to an attacker-controlled URL
- CVE-2024-47076 – libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not validate or sanitize IPP attributes returned from the IPP server, providing attacker-controlled data to the rest of the CUPS system
- CVE-2024-47175 – libppd <= 2.1b1 ppdCreatePPDFromIPP2 does not validate or sanitize IPP attributes when writing them to a temporary PPD file, allowing attacker-controlled data to be injected into the resulting PPD
- CVE-2024-47177 – cups-filters <= 2.0.1 foomatic-rip allows arbitrary commands via PPD parameter FoomaticRIPCommandLine
The ultimate consequence of these flaws is that they can be turned into an exploit chain that allows an attacker to create a malicious, spoofed print device on a networked Linux system running CUPS and cause remote code execution after sending a print job.
“The issue is caused by incorrect handling of ‘New Printer Available’ ads in the ‘view cups’ component, combined with poor ‘cups’ validation of information provided by a malicious print resource,” – network security company Ontinue said.
“The vulnerability results from inadequate validation of network data, which allows an attacker to force a vulnerable system to install a malicious printer driver and then send a print job to that driver, triggering the execution of malicious code. The malicious code is executed with the privileges of the user lp, not the superuser “root”.
RHEL said in an advisory that all versions of the operating system are affected by the four flaws, but noted that they are not vulnerable in their default configuration. He listed the issues as important in terms of severity, given that the real-world impact is likely to be small.
“By combining this group of vulnerabilities together, an attacker could potentially achieve remote code execution, which could then lead to the theft of sensitive data and/or damage to mission-critical production systems,” it said. said.
Cyber security firm Rapid7 noted that the affected systems can be accessed either from the public Internet or from different network segments, only if UDP port 631 is available and the vulnerable service is listening.
Palo Alto Networks has opened that none of its products and cloud services contain the aforementioned CUPS-related software packages and are therefore not affected by the deficiencies.
Patches for the vulnerabilities are currently being developed and are expected to be released in the coming days. Until then, it is recommended that you disable and remove the cupviewer service if you do not need it, and block or limit traffic to UDP port 631.
“It appears that the embargoed Linux RCE vulnerabilities that are advertised as end-to-end for Linux systems may only affect a subset of systems,” said Benjamin Harris, CEO of WatchTowr, in a statement shared with The Hacker News.
“With this in mind, while the vulnerabilities are serious from a technical impact perspective, it is much less likely that desktops/workstations running CUPS will be exposed to the Internet in the same way or to the same extent as typical server releases Linux”.
Satnam Narang, senior research engineer at Tenable, said these vulnerabilities are not at the level of Log4Shell or Heartbleed.
“The reality is that there are countless vulnerabilities in any software, whether it’s open source or closed source, that have yet to be discovered and disclosed,” Narang said. “Security research is vital to this process, and we can and should demand better from software vendors.”
“For organizations patching these latest vulnerabilities, it’s important to emphasize that the flaws of greatest impact and concern are the known vulnerabilities that continue to be used by advanced persistent threat groups linked to nation states and ransomware affiliates steal each year multi-million dollar corporation.”
