Critical Unauthenticated RCE Flaws in CUPS Printing Systems

A critical set of unauthenticated Remote Code Execution (RCE) vulnerabilities in CUPS, affecting all GNU/Linux systems and potentially others, was disclosed today. These vulnerabilities allow a remote attacker to execute arbitrary code on a target system without valid credentials or prior access. Major organizations like Canonical and Red Hat have confirmed this flaw, assigning it a high severity with a CVSS score of 9.9 out of 10.

Based on the Qualys Threat Research Unit's analysis, there are more than 75k publicly exposed assets. A huge majority of these assets were found on the default IPP port 631. Of these, more than 42k publicly exposed assets accept unauthenticated connections.

The Qualys research team is closely tracking the vulnerability and will release QIDs to detect these vulnerabilities later this evening Pacific time.

What Is CUPS?

CUPS (Common Unix Printing System) is the standard printing system for many Unix-like operating systems, such as GNU/Linux distributions and macOS. While it's commonly included, CUPS may not be enabled by default on all systems, such as Red Hat. When activated, it allows a computer to function as a print server, managing print jobs and queues and supporting network printing through the Internet Printing Protocol (IPP).

Here are the affected versions:

CVE-2024-47176: cups-browsed ≤ 2.0.1
CVE-2024-47076: libcupsfilters ≤ 2.1b1
CVE-2024-47175: libppd ≤ 2.1b1
CVE-2024-47177: cups-filters ≤ 2.0.1

The Vulnerabilities in the CUPS Printing System

The vulnerabilities in CUPS involve multiple components of the CUPS printing system:

• CVE-2024-47176: In cups-browsed versions up to 2.0.1, the service binds to UDP INADDR_ANY on port 631 and trusts any packet from any source. This behavior can trigger a Get-Printer-Attributes IPP request to an attacker-controlled URL.
• CVE-2024-47076: In libcupsfilters versions up to 2.1b1, the function cfGetPrinterAttributes5 fails to validate or sanitize IPP attributes returned from an IPP server. This oversight allows attacker-controlled data to interact with the rest of the CUPS system.
• CVE-2024-47175: In libppd versions up to 2.1b1, the function ppdCreatePPDFromIPP2 does not validate or sanitize IPP attributes when writing them to a temporary PPD file. This flaw permits the injection of attacker-controlled data into the resulting PPD file.
• CVE-2024-47177: In cups-filters versions up to 2.0.1, foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter.

The CVE-2024-47176 vulnerability in cups-browsed versions is widely deployed across various UNIX systems, including GNU/Linux distributions, select BSDs, potentially Oracle Solaris, and Google Chromium/ChromeOS. The implementation of this component varies, with it being enabled by default in some instances and not in others.

These vulnerabilities enable a remote unauthenticated attacker to replace existing printers' IPP URLs with malicious ones silently. Consequently, arbitrary command execution can occur on the affected computer when a print job is initiated. An attacker can send a specially crafted UDP packet to port 631 over the public Internet, exploiting the vulnerabilities without any authentication. On the local network, an attacker can spoof zeroconf, mDNS, or DNS-SD advertisements to achieve the same exploit path, leading to remote code execution.

Exploitation involves sending a malicious UDP packet to port 631 on the target, directing it to an attacker-controlled IPP server. The system's cups-browsed service then connects back, fetching printer attributes, which include malicious PPD directives. When a print job starts, these directives execute, allowing the attacker's code to run on the target system.

• Disable cups-browsed: Stop and disable the service if not needed.
• Network Mitigation: Use firewall rules to block incoming traffic on UDP port 631 and, if necessary, restrict or disable mDNS/DNS-SD services.
• Update CUPS Packages: Install security updates for CUPS and related components from your distribution as soon as updates are available.

Why Is This Important?

• Widespread Impact: Since GNU/Linux systems are widely used in enterprise servers, cloud infrastructure, and critical applications, the vulnerability has a broad attack surface and potentially affects a vast number of servers, desktops, and embedded devices worldwide.

• High Severity and Ease of Exploitation:
  • Unauthenticated Access: Attackers do not need valid credentials to exploit the vulnerability.
  • Remote Code Execution: The vulnerability allows attackers to execute arbitrary code, potentially gaining full control over affected systems. It has a CVSS score of 9.9, which indicates that the vulnerability is critical.

• No Patch Available: Systems remain vulnerable until a fix is released.

• Impact on Multiple Systems: Not limited to GNU/Linux; other systems using CUPS, like macOS and various Unix derivatives, may also be affected.

Recommended Actions for Enterprises:

Recommended actions for enterprises are to assess the exposure risk of CUPS systems. Limit network access, deactivate non-essential services, and implement strict access controls. Prepare for quick patching as soon as a patch is available, and thoroughly test patches to prevent service interruptions.

How Can Qualys Help?

Qualys QID Coverage

The Qualys Threat Research Unit is releasing the QIDs in the table below to identify assets affected by this vulnerability.

Discover Vulnerable CUPS Assets Using Qualys CyberSecurity Asset Management (CSAM):

The initial and crucial step in managing this critical vulnerability and mitigating associated risks involves pinpointing all assets susceptible to this specific issue. Use CSAM 3.0 with External Attack Surface Management to identify and inventory CUPS in your organization's instances that have vulnerable versions of CUPS.

Qualys CSAM makes it easy to identify assets containing CUPS. The following QQL query will identify assets with CUPS installed.

Software Query

software:(name:"cups-filters" or name:"cups-browsed" or name:"libcupsfilters" or name:"libppd")

The QQL below will help identify assets that have port 631 open, which is typically used by CUPS Internet Printing Protocol (IPP).

Use this QQL statement:

openPorts:(port:631)

With the Qualys Unified Dashboard, you can track the exposure within your organization and view your impacted hosts, their status, distribution across environments, and overall management in real time, allowing you to see your mean time to remediation (MTTR).

Conclusion

These issues pose significant risks for systems exposed directly to the internet or within a local network, potentially allowing attackers to gain full control over affected machines. The cups-browsed service is widely installed on Unix-like operating systems. Proactive measures are essential to mitigate risks associated with unauthenticated RCE vulnerabilities. By staying informed, assessing risks, implementing interim security controls, and preparing for rapid patch deployment, organizations can significantly reduce their exposure to potential attacks.

Next Steps:

• Keep a close eye on official channels and this blog for the release of security patches.
• Schedule maintenance windows to apply patches without disrupting business operations.

FAQ:

How can I identify assets with CUPS?

Qualys customers can inventory their infrastructure using the QID 38199: CUPS service Detected.

Related

Public link

Please use the above public link if you want to share this noodl on another website.