Multiple Vulnerabilities in Linux CUPS (CVSS 9.9)

Multiple CUPS Vulnerabilities — RCE in Linux CUPS (CVE-2024–47076 / CVE-2024–47175 / CVE-2024–47176 / CVE-2024–47177)

Descriptions:

Several newly disclosed vulnerabilities in the Common UNIX Printing System (CUPS) pose a critical threat to Linux systems. These flaws allow remote attackers to exploit weaknesses in CUPS, potentially leading to unauthorized code execution without user interaction. The flaws affect default configurations, making millions of systems vulnerable if left unpatched.

Odin Dork: services.modules.http.headers.server: “CUPS”

Shodan: server: cups product:”CUPS (IPP)”

Reference: https://github.com/RickdeJager/cupshax

Affected CVEs Brief:

1. CVE-2024–47076:

This affects the libcupsfilters library, where insufficient validation in the cfGetPrinterAttributes5 function allows for malicious IPP attributes to be processed. This opens up the system for RCE when the attacker sends crafted IPP packets.

2. CVE-2024–47175:

Impacts libppd, which is responsible for generating PPD files. Attackers can manipulate IPP attributes to create a malicious PPD file that executes arbitrary code during print job initialization.

3. CVE-2024–47176:

Targets cups-browsed. This service listens on UDP port 631 and allows any incoming packet to trigger requests to attacker-controlled IPP URLs. When a user initiates a print job, the attacker’s code gets executed on the target system.

4. CVE-2024–47177:

Affects the foomatic-rip filter used by cups-filters. It enables arbitrary command execution via the PPD parameter FoomaticRIPCommandLine.

Attack Mechanism:

These vulnerabilities allow unauthenticated attackers to send malicious IPP packets, either via the internet or local network, to vulnerable CUPS installations. Attackers can remotely control printers and execute arbitrary code. In particular, CVE-2024–47176, which targets the cups-browsed service, is notable for its widespread impact, as it listens on UDP port 631 and automatically connects to malicious URLs.

Business Impact:

Exploiting these vulnerabilities could have a severe impact on business operations, especially if CUPS is used in a large-scale corporate environment or public printing systems. Potential consequences include:

Full System Compromise:

Attackers could execute arbitrary code, gaining control over the affected Linux system, leading to data theft, unauthorized access, or further lateral movement within the network.

Operational Disruption:

Exploitation of DoS vulnerabilities could result in the unavailability of printing services, affecting business continuity in environments heavily reliant on printing and document management.

Data Breach:

Attackers might gain access to confidential documents or sensitive business data, resulting in compliance violations and legal liabilities.

Mitigation:

1. Disable cups-browsed if it is not needed.

2. Block or restrict UDP port 631 using firewall rules.

3. Update CUPS packages as soon as patches become available.

4. Ensure proper network segmentation to limit exposure.

Resource: https://medium.com/@ajaynaikhack/vulnerability-multiple-vulnerabilities-in-linux-cups-cvss-9-9-49dbdcd73cb0

Thanks, Everyone for reading.

Enjoy Happy Ethical Hacking!

Support me if you like my work!

Buy me a coffee & Follow me on https://medium.com/@ajaynaikhack & https://www.dhirubhai.net/in/ajay-naik-262597181/

Cybersecurity Bug Bounty Village, DEF CON Bug Bounty Researcher (ICBBR) BugBounty Hunters