Critical Unauthenticated RCE in CUPS

Critical Unauthenticated RCE in CUPS

On September 26, 2024, after several days of building up hype on a 9.9 CVSS vulnerability that purportedly affects a wide variety of Unix-based systems, researcher Simone Margaritelli (@evilsocket) disclosed details about the remote code execution (RCE) attack. The disclosed exploit involves a chain of four vulnerabilities (CVE-2024-47176, CVE-2024-47076, CVE-2024-47115, CVE-2024-47177) affecting the CUPS service in Unix-based operating systems. Red Hat released information on the vulnerability including mitigation guidance, though they highlight that RHEL is not vulnerable in its default configuration.

The Attack

The attack chain begins with cups_browsed, a CUPS service for discovering new printers. By default, it binds to UDP port 631 and accepts connections on any interface. It is also, by default, not configured to block any connections. If the port is reachable, then an attacker can send an IPP packet to the open port and register a new printer at a remote URL in attacker infrastructure. When this happens attributes of the attacker-controlled remote printer are retrieved from the provided URL and are saved in a temporary file on the system, unsanitized.

One of the attributes allows the specification of a filter, which will be a program on the local system for converting any unsupported formats over to formats that the printer does support. The researcher was able to recognize a particular filter known as foomatic that has been a common target for exploitation since it accepts a command line directive from the printer's attributes that will execute any command specified in that directive. CUPS has not integrated fixes for some of these decade-old vulnerabilities in the foomatic filter because it would break compatibility with many printers that depend on the permissiveness of this filter directive.

After all these pieces are in place, the attack requires a print job to be sent to the rogue printer so that it will be processed through the filter, causing the arbitrary command to be executed.

Mitigations

There is no official patch available at this time to address any of these vulnerabilities. If it is possible in your environment, then cups-browsed can be disabled. Also, much of the network traffic necessary for this to work can be blocked at the firewall on port 631. If cups-browsed and an open port 631 are necessary in your environment, then consider hardening your cups-browsed service by specifying specific connections that are allowed or denied in /etc/cups/cups-browsed.conf. See the man page for this configuration file for specifics on how to configure these settings.

?

?

CHESTER SWANSON SR.

Next Trend Realty LLC./wwwHar.com/Chester-Swanson/agent_cbswan

2 个月

Great advice.

Bryson Medlock

Threat Intelligence Evangelism Director, CW Cyber Research Unit, OSCP, MAD ATT&CK CTI

2 个月

The PoC for exploiting this vulnerability chain was leaked earlier today, so the researcher went ahead and officially disclosed information before a patch was released.

要查看或添加评论,请登录

社区洞察

其他会员也浏览了