Get a free application, infrastructure and malware scan report - Scan Your Website Now

RCE Zero Day Vulnerabilities in CUPS Put Linux Systems at Risk

Posted DateOctober 1, 2024
Posted Time 3   min Read

A new series of vulnerabilities in the Common Unix Printing System (CUPS) threatens numerous Linux systems, potentially allowing remote code execution (RCE). This affects a wide range of platforms, including Debian, Red Hat, SUSE and macOS.

The vulnerabilities—tracked as CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177—are believed to endanger over 76,000 devices, with estimates suggesting up to 300,000 could be affected.

Here is a detailed breakdown of the vulnerabilities, their causes, and the implications for affected systems.

Key Vulnerabilities and Risk Analysis

CVE-2024-47076

Affected version – libcupsfilters <= 2.1b1

Severity: High
CVSSv3.0 : Base Score: 8.6 High
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Exploit available in public: No
Exploit complexity: Low

This vulnerability stems from improper input validation in the libcupsfilters library. An attacker can send malformed data to interact with and compromise the CUPS system.

CVE-2024-47175

Affected Versions – libppd <= 2.1b1

Severity: High
CVSSv3.0 : Base Score: 8.6 High
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Exploit available in public: No
Exploit complexity: High

This flaw is due to insufficient input verification in the libppd library, allowing unverified data to be written into PPD files, leading to possible malicious injection.

CVE-2024-47176

Affected Versions – cups-browsed <= 2.0.1

Severity: High
CVSSv3.0 : Base Score: 8.4 High
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Exploit available in public: No
Exploit complexity: Low

Involves a weakness in the cups-browsed service, which listens on UDP port 631. An unauthenticated attacker can send special packets to a controlled URL to execute arbitrary commands.

The failure to adequately restrict access to this port increases the risk of exploitation, particularly when services are exposed to the internet or untrusted networks.

CVE-2024-47177

Affected Versions – cups-filters <= 2.0.1

Severity: High
CVSSv3.0 : Base Score: 9.1 Critical
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Exploit available in public: No
Exploit complexity: Low

A command injection vulnerability in the cups-filters library allows attackers to use the FoomaticRIPCommandLine parameter to execute any command on the target system.

Exploitation Path – RCE Attack Chain in CUPS

The attack chain begins with CVE-2024-47176, where an attacker exploits a vulnerability in the cups-browsed service, causing it to accept requests from any network interface. This allows the attacker to register a rogue printer on the victim’s system.

Next, the attacker leverages CVE-2024-47076 to inject harmful printer attributes into the print server through libcupsfilters, altering how the server processes print jobs.

Following that, CVE-2024-47175 is exploited in libppd, allowing the attacker to introduce a malicious PostScript Printer Description (PPD) file. This file includes specific settings that permit the execution of arbitrary commands.

Finally, the attacker takes advantage of CVE-2024-47177, a command injection vulnerability in cups-filters, allowing them to execute the malicious code when the victim triggers a print job to the rogue printer.

How to Check If Your System is Vulnerable?

Users can check the status of the cups-browsed service using the command:

systemctl status cups-browsed

If it shows “Active: inactive (dead),” the system is not affected. If it’s “running” or “enabled,” the system may be at risk.

Mitigation Strategies

Red Hat Mitigation

Stopping CUPS Services – To quickly stop the cups-browsed service, run this command:

sudo systemctl stop cups-browsed

To prevent the cups-browsed service from starting on reboot, execute:

sudo systemctl disable cups-browsed

Debian Mitigation

Server Environments – For servers, stop and remove the cups-browsed package to mitigate risks.

Client/Desktop Systems – For client or desktop systems, remove cups from the BrowseRemoteProtocols line in the /etc/cups/cups-browsed.conf file and restart the cups-browsed service.

Ubuntu Upgrade Instructions

To correct the identified vulnerabilities, update your system to the following package versions:

Ubuntu 22.04

  • cups-browsed: 1.28.15-0ubuntu1.3
  • cups-filters: 1.28.15-0ubuntu1.3

Ubuntu 20.04

  • cups-browsed: 1.27.4-1ubuntu0.3
  • cups-filters: 1.27.4-1ubuntu0.3

A regular system update will apply all the required changes.

Temporary Protection

If immediate upgrades are not feasible, consider the following temporary measures:

  • Set up cups-browsed (default port 631) to block incoming UDP packets or limit access using a whitelist.
  • If printing services are not required, disable the cups-browsed process altogether.

Recommendations

  • Use the Latest Version: Always use the latest stable version of CUPS. Updates often contain important security patches that mitigate newly discovered vulnerabilities.
  • Implement Backup and Recovery: Regularly back up CUPS configuration files and logs. In the event of a security incident, this allows for quicker recovery and forensic analysis.
  • Compliance Checks: Ensure compliance with relevant security frameworks (e.g., NIST, ISO 27001) to enhance security posture around printing systems. Check out our detailed blog on how compliance standards drive security.

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

AppTrana WAAP

 

Vivek Chanchal - Security Researcher
Vivek Chanchal

Vivek Chanchal is a security researcher at Indusface. He is a certified network security expert by Fortinet and ISCI. He is bug bounty hunter and a pentester and has reported vulnerabilities on multiple websites on platforms like Hackerone and Bugcrowd. He is also a CTF player on Hackthebox.

Share Article:

Join 51000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

CVE-2024-9264 - Grafana SQL Expression Flaw
CVE-2024-9264 – Grafana’s SQL Expressions Vulnerability

A critical vulnerability (CVE-2024-9264) in Grafana allows remote code execution, risking system commands and sensitive file access. Immediate action required.

Read More
CVE-2024-8517 - Unauthenticated Remote Code Execution in SPIP
CVE-2024-8517 – Unauthenticated Remote Code Execution in SPIP

A command injection flaw (CVE-2024-27348) in SPIP allows remote attacks without authentication. Learn mitigation steps & how AppTrana provides Day 0 protection.

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% customer recommendation for 4 consecutive years.

A Customers’ Choice for 2024, 2023 and 2022 - Gartner® Peer Insights™

The reviews and ratings are in!