Critical Unpatched Vulnerabilities in CUPS Open-Source Printing System Risk Linux Systems

September 27, 2024

Prominent cybersecurity researcher Simone Margaritelli, known as @evilsocket, has revealed technical specifics of a yet-to-be-patched vulnerability affecting Linux systems. On September 23, Margaritelli announced his intention to reveal an unauthenticated remote code execution (RCE) vulnerability impacting all GNU/Linux systems within a fortnight. The vulnerability was classified as critical and was assigned a CVSS score of 9.9. Despite his disclosure, Margaritelli voiced frustration with the responsible disclosure process, pointing out that no CVE had been allocated, and no one was addressing the issue. He said, “Devs are still arguing about whether or not some of the issues have a security impact. I’ve spent the last 3 weeks of my sabbatical working full time on this research, reporting, coordination and so on with the sole purpose of helping and pretty much only got patronized because the devs just can’t accept that their code is crap – responsible disclosure: no more.”

Margaritelli disclosed four vulnerabilities, designated as CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177, affecting the CUPS (Common UNIX Printing System) open-source printing system. These vulnerabilities relate to IPP attribute sanitization, command execution, and packet trust issues. The researcher explained, “A remote unauthenticated attacker can silently replace existing printers’ (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer).”

Red Hat issued a warning that these vulnerabilities, when combined, could lead to remote code execution, potentially resulting in data theft or damage to vital production systems. The advisory from Red Hat stated, “By chaining this group of vulnerabilities together, an attacker could potentially achieve remote code execution which could then lead to theft of sensitive data and/or damage to critical production systems.” They rated the vulnerabilities as important, noting that they do not affect default configurations.

The vulnerabilities can be exploited by an attacker through a specific sequence of actions. Initially, the cups-browsed service must be manually enabled or started on the targeted machine. For a successful attack, the attacker requires access to a vulnerable server, either through unrestricted public internet access or by gaining access to an internal network where local connections are trusted. Once access to the system is obtained, they can advertise a malicious IPP server, fooling the system into provisioning a malicious printer. When a print job is initiated from this compromised device, the attacker can then execute arbitrary code on the victim's machine, potentially leading to a full system compromise.

These vulnerabilities have not yet been addressed, and according to Margaritelli, CUPS developers have acknowledged that the vulnerabilities cannot be easily fixed. As a temporary mitigation measure, users can run two commands to stop a vulnerable service and prevent it from restarting when the system is rebooted. Blocking all traffic to UDP port 631 and DNS-SD traffic can also mitigate attacks.

Latest News

• Storm-0501 Ransomware Threat Actor Expands Attacks to Hybrid Cloud Environments
• HPE Aruba Addresses Severe Vulnerabilities in Access Points
• 'SloppyLemming' APT Targets Government and Law Enforcement Agencies via Cloudflare
• Critical Ivanti vTM Authentication Bypass Vulnerability Now Actively Exploited
• Twelve Hacktivist Group Resurfaces, Targets Russian Entities