RCE Zero Day Vulnerabilities in CUPS Put Linux Systems at Risk
A new series of vulnerabilities in the Common Unix Printing System (CUPS) threatens numerous Linux systems, potentially allowing remote code execution (RCE). This affects a wide range of platforms, including Debian, Red Hat, SUSE and macOS.
The vulnerabilities—tracked as CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177—are believed to endanger over 76,000 devices, with estimates suggesting up to 300,000 could be affected.
Here is a detailed breakdown of the vulnerabilities, their causes, and the implications for affected systems.
Key Vulnerabilities and Risk Analysis
CVE-2024-47076
Affected version – libcupsfilters <= 2.1b1
Severity:?High CVSSv3.0?:?Base Score: 8.6 High Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Exploit available in public: No Exploit complexity: Low
This vulnerability stems from improper input validation in the libcupsfilters library. An attacker can send malformed data to interact with and compromise the CUPS system.
CVE-2024-47175
Affected Versions – libppd <= 2.1b1
Severity:?High CVSSv3.0?:?Base Score: 8.6 High Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Exploit available in public: No Exploit complexity: High
This flaw is due to insufficient input verification in the libppd library, allowing unverified data to be written into PPD files, leading to possible malicious injection.
CVE-2024-47176
Affected Versions – cups-browsed <= 2.0.1
Severity:?High CVSSv3.0?:?Base Score: 8.4 High Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Exploit available in public: No Exploit complexity: Low
Involves a weakness in the cups-browsed service, which listens on UDP port 631. An unauthenticated attacker can send special packets to a controlled URL to execute arbitrary commands.
The failure to adequately restrict access to this port increases the risk of exploitation, particularly when services are exposed to the internet or untrusted networks.
CVE-2024-47177
Affected Versions – cups-filters <= 2.0.1
Severity:?High CVSSv3.0?:?Base Score: 9.1 Critical Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Exploit available in public: No Exploit complexity: Low
A command injection vulnerability in the cups-filters library allows attackers to use the FoomaticRIPCommandLine parameter to execute any command on the target system.
Exploitation Path – RCE Attack Chain in CUPS
The attack chain begins with CVE-2024-47176, where an attacker exploits a vulnerability in the cups-browsed service, causing it to accept requests from any network interface. This allows the attacker to register a rogue printer on the victim’s system.
Next, the attacker leverages CVE-2024-47076 to inject harmful printer attributes into the print server through libcupsfilters, altering how the server processes print jobs.
Following that, CVE-2024-47175 is exploited in libppd, allowing the attacker to introduce a malicious PostScript Printer Description (PPD) file. This file includes specific settings that permit the execution of arbitrary commands.
领英推荐
Finally, the attacker takes advantage of CVE-2024-47177, a command injection vulnerability in cups-filters, allowing them to execute the malicious code when the victim triggers a print job to the rogue printer.
How to Check If Your System is Vulnerable?
Users can check the status of the cups-browsed service using the command:
systemctl status cups-browsed
If it shows “Active: inactive (dead),” the system is not affected. If it’s “running” or “enabled,” the system may be at risk.
Mitigation Strategies
Red Hat Mitigation
Stopping CUPS Services – To quickly stop the cups-browsed service, run this command:
sudo systemctl stop cups-browsed
To prevent the cups-browsed service from starting on reboot, execute:
sudo systemctl disable cups-browsed
Debian Mitigation
Server Environments – For servers, stop and remove the cups-browsed package to mitigate risks.
Client/Desktop Systems – For client or desktop systems, remove cups from the BrowseRemoteProtocols line in the /etc/cups/cups-browsed.conf file and restart the cups-browsed service.
Ubuntu Upgrade Instructions
To correct the identified vulnerabilities, update your system to the following package versions:
Ubuntu 22.04
Ubuntu 20.04
A regular system update will apply all the required changes.
Temporary Protection
If immediate upgrades are not feasible, consider the following temporary measures:
Recommendations
Stay tuned for more relevant and interesting security articles. Follow Indusface on?Facebook,?Twitter, and?LinkedIn.
This blog was originally published at https://www.indusface.com on October 01, 2024.