Critical Linux CUPS Flaws Could Lead to Remote Command Execution

Fara Hain

September 30th, 2024

TL:DR

CUPS is a suite of programs and daemons that provide local and network printing capabilities on Unix-like systems such as Linux and macOS. Versions before and including 2.0.1 are vulnerable to CVE-2024-47076 (libcupsfilters), CVE-2024-47175 (libppd), CVE-2024-47176 (cups-browsed) and CVE-2024-47177 (cups-filters), all of which can be chained together to allow remote unauthenticated code execution. At this time there is no updated version available. Disabling CUPS or blocking remote access to UDP port 631 are the best protective measures.

What happened? Anatomy of the CUPS Remote Command Execution

Over the weekend, a security researcher Simone Margaritelli discovered a security flaw that enables an unauthenticated remote attacker to covertly modify the IPP URLs of existing CUPS printers (or add new ones) to a malicious URL. This change can lead to the execution of arbitrary commands on the computer whenever a print job is initiated from it.

If the cups-browsed daemon is enabled (which is not common on most systems), it listens on UDP port 631 and, by default, permits remote connections from any network device to set up a new printer.

By creating a malicious PostScript Printer Description (PPD) printer and manually advertising it to the exposed cups-browsed service running on UDP port 631, the

remote machine automatically installs the malicious printer, making it available for use. If a user on that exposed server prints to this newly installed printer, the malicious command embedded in the PPD will be executed locally on their computer.

Tracked as CVE-2024-47076 (libcupsfilters), CVE-2024-47175 (libppd), CVE-2024-47176 (cups-browsed) and CVE-2024-47177 (cups-filters) – these security flaws don’t affect systems in their default configuration.

According to Margaritelli’s blog post, quoting someone directly involved in the CUPS project: “From a generic security point of view, a whole Linux system as it is nowadays is just an endless and hopeless mess of security holes waiting to be exploited.”

Background: What is CUPS (Common UNIX Printing System)?

CUPS (Common UNIX Printing System) is the most commonly used printing system on Linux systems, and it is also generally supported on devices running Unix-like operating systems such as FreeBSD, NetBSD, and OpenBSD and their derivates.

What CUPS vulnerabilities were found?

Critical Linux CUPS Printing System Flaws Could Lead to Remote Command Execution

CUPS (Common UNIX Printing System) is a standards-based, open-source printing system. Recent several vulnerabilities CVE-2024-47076 (libcupsfilters), CVE-2024-47175 (libppd), CVE-2024-47176 (cups-browsed) and CVE-2024-47177 (cups-filters) were discovered and are potentially allowing hackers to remotely run code on machines that expose the service over UDP (usually, on port 631).

What are the recommended actions if you use CUPS?

It is recommended to block ports for UDP. It is a good practice to avoid open IPP services also over UDP.

As checking for affected UDP open services triggers a connection from the vulnerable machine to the attacking system, and relying on the fact that most of the detected vulnerable systems over UDP had open IPP service over TCP on the same port, IONIX marks assets as potentially affected based on services with open IPP ports (TCP). Notice, that having IPP service publicly open is also not not a good practice, and we recommend to close it as well.

What can IONIX customers do?

IONIX Customers should check their potentially impacted assets in the Threat Center tab of the portal. We took the following actions to help customers analyze their CUPS exposure:

We scanned customers with port 631 (tcp) open and IPP protocol. Having the combination of both is a good indication that customers are potentially impacted