Security News

Linux CUPS Printing Systems Multiple Vulnerabilities

By

Overview

The SonicWall Capture Labs threat research team became aware of multiple bugs leading to remote code execution in a CUPS-browsed system, assessed its impact, and developed mitigation measures. CUPS (Common Unix Printing System) is an open-source standard printing system for many Unix-like operating systems, such as GNU/Linux distributions and macOS. Despite being included, CUPS is not always enabled by default on some systems, such as Red Hat. Enabling the CUPS-browsed service allows a computer to function as a network print server through Internet Printing Protocol (IPP).

Identified as CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, & CVE-2024-47177, CUPS-browsed versions before 2.0.1 allow an unauthenticated threat actor to achieve unauthenticated arbitrary code execution using open print job via IPPServer when chained together. Considering that a publicly available proof of concept (PoC) code exists for this vulnerability and the popularity of CUPS-browsed systems among threat actors, exploitation is more likely to occur in the next several months. On the local network, an attacker can spoof zeroconf, mDNS, or DNS-SD advertisements to achieve the same exploit path, leading to remote code execution. Users are strongly encouraged to stop and disable the cups-browsed service and/or port 631,if it is not needed as per the advisory.

Technical Overview

The chain of vulnerabilities arises from a flaw in how the application allows random connections with a random URL on UDP port 631. Out of the whole CVE chain, CVE-2024-47146 is a loophole, where cups-browsed as a part of the CUPS system allows anyone to discover new printers and automatically add them to the system. This binding occurs on UDP port 631 without notifying or consenting the user, as shown in Figure 1.

Figure 1: CVE-2024-47146

Once the exploit sends the random URL on UDP port 631 to the victim, as shown in Figure 1, the attacker’s machine is automatically displayed in the victim printer’s list. After that, the attacker must wait for the victim to print any file using the attacker’s printer, which is already on the victim’s printer list.

Due to CVE-2024-47076, the function cfGetPrinterAttributes5 does not validate the IPP attributes returned from an IPP server, allowing an attacker to inject a malicious payload along with the attributes. Further chaining it with CVE-2024-47175, the function ppdCreatePPDFromIPP2 does not validate the IPP attributes when writing them to a temporary Postscript Printer Description (PPD) file, allowing an attacker to write malicious payload in the PDD.

Finally, CVE-2024-47177 allows the execution of the specified arbitrary command (echo 1 > /tmp/I_AM_VULNERABLE) in the FoomaticRIPCommandLine parameter when a print job is sent to the fake printer.

Figure 2: Arbitrary code Injection in CUPS system

Exploitation

Exploiting this vulnerability allows the remote threat actor to execute arbitrary code on the server as a system. It has a severe impact on the system’s confidentiality, integrity, and availability of the system and does not require user interaction.

We leveraged publicly available Poc to achieve remote code execution on CUPS system 2.0.1. The primary requirement for exploiting these vulnerabilities is that UDP port 631 be open on the target. An attacker sends a malicious UDP packet to convert the victim machine to an attacker-controlled IPP server. Further, the victim system’s cups-browsed service returns the connection, retrieving printer attributes that include malicious PPD directives. When a print job starts on this fake printer, these PPD directives allow the attacker’s code to run on the target system, resulting in Remote Code Execution, as seen in Figure 3.

Figure 3: CUPS RCE

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS: 20394 CUPS Get-Printer-Attributes IPP Request
  • IPS: 20380 CUPS foomatic-rip Command Injection

Remediation Recommendations

Administrators should ensure that a host-based firewall is running  secure affected UDP port 61. Red Hat users can configure Firewalld, and Ubuntu users can configure ufw (which is disabled by default). Users should stop and disable the cups-browsed service if it is not needed.

Relevant Links

 

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Unveiling the Hidden Threat: Malware Disguised as Trusted Downloads
Fake ransomware decryptor spreads Zorab ransomware
Usbstealer: USB info-Stealer targeting various organizations systems
Spammers celebrate Easter in advance (March 29, 2013)
New LockXX Ransomware Targets Users Who Speak Standard Chinese, English
How To Own A Web Server By Writing An Email (Jan 4, 2017)
American Arlines Ticket Spam - XP Home Security 2012 (Dec 22, 2011)
Ragnar Locker Ransomware