Severe RCE flaw in CUPS on GNU/Linux systems awaits full disclosure

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software security headlines from around the world, curated by the team at ReversingLabs .

This week: A newly discovered, severe RCE flaw in the CUPS print server is impacting GNU/Linux systems. Also: North Korean APT Citrine Sleet poisons PyPI packages with Mac and Linux malware.

This Week’s Top Story

Severe unauthenticated RCE flaw in CUPS on GNU/Linux systems awaits full disclosure

Security researcher Simone Margaritelli has discovered a critical security vulnerability affecting all GNU/Linux systems that allows for unauthenticated remote code execution (RCE). The cybersecurity firms Canonical and Red Hat have confirmed the flaw’s severity with a CVSS score of 9.9 out of 10. Margaritelli disclosed the vulnerability three weeks ago, but withheld details of it to allow developers the time they needed to address the issue.?

Despite the grace period, developers have found no working fix for the vulnerability and have worked with Margaritelli to establish a disclosure timeline, setting October 6 as the date on which the vulnerability will be publicly disclosed.?

As that date approaches, however, cracks in the process are appearing. As of this past Wednesday, the vulnerability still had not been assigned a Common Vulnerabilities and Exposures (CVE) identifier by a CVE Number Authority (CNA). The delay underscores? concerns about the effectiveness of the National Vulnerability Database (NVD), as well as difficulties within the cybersecurity community in coordinating vulnerability detection and mitigation efforts.?

For example, prior to being identified, security researchers and developers were in disagreement over how strong of an impact this vulnerability will have, which likely contributed to the delays in identifying the vulnerability, and the existing delay in finding a fix for it. There have been instances in the past of vulnerabilities reported and identified as high severity, when in reality they were found to be more difficult to exploit than initially thought – ultimately lowering their severity rating.?

As of September 26, details were released regarding the vulnerability’s CVE identifiers and its greater impact. The CVEs are being tracked as CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, and are believed to be impacting CUPS, a popular print server, across a range of operating systems, including Linux and BSD variants, Oracle Solaris, and Google Chrome. It has been confirmed by researchers that if exploited, attackers could remotely take control of targeted systems.?

Margaritelli noted in a blog post how an attacker could abuse the vulnerability to replace an existing printer’s Internet Printing Protocol (IPP) URLs or install new, malicious ones. Margaritelli also posted a proof of concept for CVE-2024-47176, now available on GitHub . As of now, there is no patch for this vulnerability across Linux systems, leaving organizations exposed to this threat. (Security Online )

This Week’s Headlines

Citrine Sleet poisons PyPI packages with Mac & Linux malware

North Korean-backed APT Gleaming Pisces (aka Citrine Sleet) has been hiding remote access malware for macOS and Linux inside a handful of PyPI packages. The threat group has been active since 2018, and is well known for being financially motivated in their attacks, which commonly use fake crypto platforms. Palo Alto Networks’ Unit 42 believes with “medium confidence” that Gleaming Pisces was behind this recent malicious campaign, which aims to deliver a remote access trojan (RAT), PondRAT, onto victims’ systems. The malicious packages have been reported to PyPI and have been taken down since. (Dark Reading )

CISA’s Jen Easterly: Makers of insecure software must stop enabling today’s cyber villains

Jen Easterly , Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), spoke at Mandiant’s mWise conference about the importance of calling out software producers that ship out products containing bugs, insecure code, and vulnerabilities. Cyber criminals can abuse these security lapses to carry out consequential software supply chain attacks, making this call out imperative, Easterly noted. In her keynote, she shared that “technology vendors are the characters who are building problems” into their products, which then “open the doors for villains to attack their victims.” Easterly also called out the implications of naming security lapses “software vulnerabilities,” suggesting that they should instead be called “product defects,” because the former is too lenient, she noted. (The Register )?

Supply chain attacks in the UK: Reducing risk and preparing for upcoming legal challenges

Attorneys from global firm Ogletree Deakins are emphasizing the growing responsibilities of organizations relying on third-parties to ensure that all of their software supply chains – not just internal ones – are vetted and secure. The authors stress that securing an organization’s cybersecurity practices isn’t enough to protect the company from cybercrime and legal consequences. This is because of the enterprise’s growing reliance on third-parties to conduct business, making the enterprise more vulnerable to external cyber threats. The attorneys recommend that enterprises take action to properly vet and secure their supply chains, including those connected to third-parties, in order to best protect themselves from legal consequences and software supply chain attacks. (The National Law Review )??

Moving DevOps security out of the ‘stone age’

Rob Lemos argues in this article for Dark Reading that software developers need to do more than scan code and vet software components, and operations teams should similarly do more than just defend the deployment pipeline. By gaining an integrated view of the entire DevOps pipeline, from development to application deployment, enterprises can have a greater understanding of where security risks lie and how to best mitigate them. Lemos points out that having this integrated view into software’s entire timeline will give enterprises greater control over the software’s components - from open source libraries used, to third-party tools, to cloud infrastructure and storage platforms essential to the software’s functionality. (Dark Reading )?

ChatGPT macOS flaw could’ve enabled long-term spyware via memory function

A now-patched security vulnerability in OpenAI's ChatGPT app for macOS could have made it possible for attackers to plant long-term persistent spyware into the artificial intelligence (AI) tool's memory. The technique, dubbed SpAIware, could be abused to facilitate "continuous data exfiltration of any information the user typed or responses received by ChatGPT, including any future chat sessions," security researcher Johann Rehberger noted. The technique abuses a feature within ChatGPT called “memory,” which allows the AI service to remember certain things across chats, so that it saves users the effort of repeating the same information when they need it. The technique also uses indirect prompt injection to manipulate memories, allowing it to remember malicious instructions between various conversations. (The Hacker News )

Critical NVIDIA container bug is an ‘old school’ risk to AI workloads

NVIDIA has patched a critical vulnerability in its widely used Container Toolkit, reported by Wiz. The bug, allocated CVE-2024-0132, lets an attacker ultimately take over a host system with full root privileges. Wiz noted that the bug highlights the extent to which “‘old-school’ infrastructure vulnerabilities in the ever-growing AI tech stack remain the immediate risk that security teams should prioritize.” Exploitation of the vulnerability starts with a malicious container image that an attacker would need to craft and somehow run or get someone to run on the target platform. Attackers can pull this off via social engineering or a supply chain attack, but could also gain direct access by using a service that allows shared GPU resources, Wiz noted. (The Stack )

Looking for more insights on software supply chain security? Head to the RL Blog .?

The Best of RL

Webinar | Threat Research Round-Up

October 3 at 11 am ET

RL’s Threat Research team digs deep into open source as well as proprietary and commercial software to identify new threats and attacks. Join this live conversation with host Paul F. Roberts and researchers Karlo Zanki and Lucija Valenti? to hear about recent malicious campaigns discovered on NuGet and npm, plus a scam targeting developers with phony job interviews that deliver malicious code packages. [Register Here ]?

Looking for more great conversations to watch? See RL’s on-demand webinar library .?

Blog | ‘Good, fast, cheap... Pick two’: Software quality dilemma forces risky decisions

When developing software there are three options: good, fast, and cheap. But you can only pick two. Here's what that reality means for commercial software risk. [Read Here ]?

Blog | Modernize your chaos engineering with commercial software transparency

By leveraging modern supply chain security, you can develop better chaos engineering with deeper visibility into all software. Here are key considerations. [Read Here ]?