RCE Zero Day Vulnerabilities in CUPS Put Linux Systems at Risk

RCE Zero Day Vulnerabilities in CUPS Put Linux Systems at Risk

A new series of vulnerabilities in the Common Unix Printing System (CUPS) threatens numerous Linux systems, potentially allowing remote code execution (RCE). This affects a wide range of platforms, including Debian, Red Hat, SUSE and macOS.

The vulnerabilities—tracked as CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177—are believed to endanger over 76,000 devices, with estimates suggesting up to 300,000 could be affected.

Here is a detailed breakdown of the vulnerabilities, their causes, and the implications for affected systems.

Key Vulnerabilities and Risk Analysis

CVE-2024-47076

Affected version – libcupsfilters <= 2.1b1

Severity:?High CVSSv3.0?:?Base Score: 8.6 High Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Exploit available in public: No Exploit complexity: Low

This vulnerability stems from improper input validation in the libcupsfilters library. An attacker can send malformed data to interact with and compromise the CUPS system.

CVE-2024-47175

Affected Versions – libppd <= 2.1b1

Severity:?High CVSSv3.0?:?Base Score: 8.6 High Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Exploit available in public: No Exploit complexity: High

This flaw is due to insufficient input verification in the libppd library, allowing unverified data to be written into PPD files, leading to possible malicious injection.

CVE-2024-47176

Affected Versions – cups-browsed <= 2.0.1

Severity:?High CVSSv3.0?:?Base Score: 8.4 High Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Exploit available in public: No Exploit complexity: Low

Involves a weakness in the cups-browsed service, which listens on UDP port 631. An unauthenticated attacker can send special packets to a controlled URL to execute arbitrary commands.

The failure to adequately restrict access to this port increases the risk of exploitation, particularly when services are exposed to the internet or untrusted networks.

CVE-2024-47177

Affected Versions – cups-filters <= 2.0.1

Severity:?High CVSSv3.0?:?Base Score: 9.1 Critical Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Exploit available in public: No Exploit complexity: Low

A command injection vulnerability in the cups-filters library allows attackers to use the FoomaticRIPCommandLine parameter to execute any command on the target system.

Exploitation Path – RCE Attack Chain in CUPS

The attack chain begins with CVE-2024-47176, where an attacker exploits a vulnerability in the cups-browsed service, causing it to accept requests from any network interface. This allows the attacker to register a rogue printer on the victim’s system.

Next, the attacker leverages CVE-2024-47076 to inject harmful printer attributes into the print server through libcupsfilters, altering how the server processes print jobs.

Following that, CVE-2024-47175 is exploited in libppd, allowing the attacker to introduce a malicious PostScript Printer Description (PPD) file. This file includes specific settings that permit the execution of arbitrary commands.

Finally, the attacker takes advantage of CVE-2024-47177, a command injection vulnerability in cups-filters, allowing them to execute the malicious code when the victim triggers a print job to the rogue printer.

How to Check If Your System is Vulnerable?

Users can check the status of the cups-browsed service using the command:

systemctl status cups-browsed        

If it shows “Active: inactive (dead),” the system is not affected. If it’s “running” or “enabled,” the system may be at risk.

Mitigation Strategies

Red Hat Mitigation

Stopping CUPS Services – To quickly stop the cups-browsed service, run this command:

sudo systemctl stop cups-browsed        

To prevent the cups-browsed service from starting on reboot, execute:

sudo systemctl disable cups-browsed        

Debian Mitigation

Server Environments – For servers, stop and remove the cups-browsed package to mitigate risks.

Client/Desktop Systems – For client or desktop systems, remove cups from the BrowseRemoteProtocols line in the /etc/cups/cups-browsed.conf file and restart the cups-browsed service.

Ubuntu Upgrade Instructions

To correct the identified vulnerabilities, update your system to the following package versions:

Ubuntu 22.04

  • cups-browsed: 1.28.15-0ubuntu1.3
  • cups-filters: 1.28.15-0ubuntu1.3

Ubuntu 20.04

  • cups-browsed: 1.27.4-1ubuntu0.3
  • cups-filters: 1.27.4-1ubuntu0.3

A regular system update will apply all the required changes.

Temporary Protection

If immediate upgrades are not feasible, consider the following temporary measures:

  • Set up cups-browsed (default port 631) to block incoming UDP packets or limit access using a whitelist.
  • If printing services are not required, disable the cups-browsed process altogether.

Recommendations

  • Use the Latest Version: Always use the latest stable version of CUPS. Updates often contain important security patches that mitigate newly discovered vulnerabilities.
  • Implement Backup and Recovery: Regularly back up CUPS configuration files and logs. In the event of a security incident, this allows for quicker recovery and forensic analysis.
  • Compliance Checks: Ensure compliance with relevant security frameworks (e.g., NIST, ISO 27001) to enhance security posture around printing systems. Check out our detailed blog on how compliance standards drive security.


Stay tuned for more relevant and interesting security articles. Follow Indusface on?Facebook,?Twitter, and?LinkedIn.

This blog was originally published at https://www.indusface.com on October 01, 2024.

要查看或添加评论,请登录

社区洞察

其他会员也浏览了