Threat Insight

Critical Unauthenticated RCE Flaws in CUPS Printing Systems

This vulnerability in the CUPS Printing Systems consist of a combination of four different vulnerabilities that together with the help of some user interaction (print job has been started) allows an unauthenticated attacker craft a fake printer to execute malicious code remotely (RCE) on affected systems.

CVE-2024-47076 is a flaw in the libcupsfilters library in which IPP packets are not validated or sanitized. This provides the attacker the ability to send malicious code to the CUPS system.

CVE-2024-47175 affects the libppd library. IPP input data is not properly validated or sanitized before being written to a temporary PostScript Printer Description (PPD) file. Which can result in an attacker injecting malicious data.

CVE-2024-47176 affects the cups-browsed library. According to the blog post from Simone Margaritelli1, the package allows any packet from any source to be trusted on the IPP port (631). An attacker could send a crafted packet that would trigger a Get-Printer-Attributes IPP request, that then reaches out to an attacker controlled URL.

CVE-2024-47177 impacts the cups-filters library and could allow an attacker to execute arbitrary commands using “via the FoomaticRIPCommandLine PPD parameter.”

CVE
CVE-2024-47176
CVE-2024-47076
CVE-2024-47175
CVE-2024-47177

Affected Products

Most GNU/Linux distributions, some BSD system, Google Chromium/ChromeOS, potentially Oracle Solaris. 2 3 4 5

More specifically the vulnerabilities affect the following software versions:

CVE-2024-47176: cups-browsed ≤ 2.0.1
CVE-2024-47076: libcupsfilters ≤ 2.1b1
CVE-2024-47175: libppd ≤ 2.1b1
CVE-2024-47177: cups-filters ≤ 2.0.1

Exploitation

A proof-of-concept code is publicly available.6

1. Disable and remove the cups-browsed service if it is not deemed to be a critical component.
2. If it is deemed to be a critical component, update the CUPS package on your systems.
3. If it is not possible to update the CUPS package on your systems and it is deemed a critical component, block all traffic to UDP port 631 and possibly all DNS-SD traffic.

Detection

Unexpected traffic on UDP port 631 used by CUPS.
IPP requests directed to unknown or suspicious URLs.
Unauthorized modifications to CUPS configuration files.
Processes spawned by the CUPS service that are not typically associated with printing tasks.

References

  1. https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I ↩︎
  2. https://pkgs.org/download/cups-browsed ↩︎
  3. https://docs.freebsd.org/en/articles/cups ↩︎
  4. https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/third_party/chromiumos-overlay/net-print/;bpv=1 ↩︎
  5. https://docs.oracle.com/cd/E23824_01/html/821-1451/cups-intro.html ↩︎
  6. https://github.com/RickdeJager/cupshax/tree/main ↩︎
Cybersecurity