Friday, September 27th 2024

New Linux RCE Vulnerability Leaks Ahead of Disclosure - Allows Arbitrary Code Execution via CUPS Print Scheduler

A new vulnerability was recently discovered in a widely used print server that is installed by default on many Linux and Unix-based systems with a graphical user interface. The primary attack vector for the vulnerability is the CUPS (Common Unit Printing System) print scheduler, specifically cups-browsed, and has the potential to execute code remotely with zero user interaction required.

The vulnerability has reportedly been given a CVSS score of 9.9 by RHEL and Canonical, although this score is hotly debated, with some arguing it should have a lower score, because, although code can be remotely downloaded to the system, it cannot be executed without user intervention. Fortunately, there is no evidence of the vulnerability having been exploited, although the disclosure was leaked online ahead of a planned private reveal in October, prompting the developer that discovered the vulnerability to post the full explanation in a write-up on their blog. This being the case, the vulnerability could very well start being exploited by malicious actors.
According to the lengthy blog post by the researcher, Simone Margaritelli, services related to the CUPS printing system on are vulnerable to remote code execution. Essentially, an attacking system convinces the print scheduler that it is a printer and sends over malware—which can be arbitrary executable code—that is disguised as a printer configuration file. This process requires no user intervention, since CUPS will accept any packet sent via port *:631. The next time the user attempts to print something, that code can be executed, potentially compromising the system.
Summary
  • CVE-2024-47176 | cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker controlled URL.
  • CVE-2024-47076 | libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker controlled data to the rest of the CUPS system.
  • CVE-2024-47175 | libppd <= 2.1b1 ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker controlled data in the resulting PPD.
  • CVE-2024-47177 | cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter.
The specific exploit depends on a host of unpatched vulnerabilities, some over a decade old, making this a particularly concerning issue for those using Linux or Unix-based. For this attack vector to work, the system needs to have CUPS (Common Unix Printing System) and cups-browsed installed and running, which is the default for a lot of systems. According to Margaritelli, there are 200,000-300,000 systems with the print service currently connected to the internet, although Shodan reports (see above screenshot) that there are around 76,000 systems with open CUPS ports connected to the internet.

While the researcher claims that most GNU/Linux distributions—as well as potentially ChromeOS and macOS—are affected, it should be noted that it is not the default configuration for many Linux distributions, and it especially shouldn't be the case for any large-scale servers or data centers, meaning the largest target group would be private PC users running Linux.
Sources: Evilsocket Blog, Stong on GitHub Gist, Shodan
Add your own comment

31 Comments on New Linux RCE Vulnerability Leaks Ahead of Disclosure - Allows Arbitrary Code Execution via CUPS Print Scheduler

#26
lexluthermiester
Space Lynxso I just look for something called CUPS when I open up the Mint Store? does this change the command line i need to use to uninstall it that you gave me?
No, just open the terminal and use the commands in the order list previously.
Posted on Reply
#27
Space Lynx
Astronaut
lexluthermiesterNo, just open the terminal and use the commands in the order list previously.
first command worked after i entered my password, second one said denied after i entered my password, not sure what i did wrong :confused:
Posted on Reply
#28
lexluthermiester
Space Lynxfirst command worked after i entered my password, second one said denied after i entered my password, not sure what i did wrong :confused:
Do you have root or SU on your user account? If not, you need to create a SuperUser account and enter the command in that account. You need root auth for the commands I listed.
Posted on Reply
#29
Space Lynx
Astronaut
lexluthermiesterDo you have root or SU on your user account? If not, you need to create a SuperUser account and enter the command in that account. You need root auth for the commands I listed.
ok well since it got updated recently anyway i think i will just leave it, patch has already been issued, i think one of linux weaknesses is not having a toggle to simply turn on or off printing

i just install linux mint in w.e way it tells me to do so, i just hit next on everything when i install it, so lol i have no idea, im not having any issues so i'll just leave it alone
Posted on Reply
#30
lexluthermiester
Space Lynxok well since it got updated recently anyway i think i will just leave it, patch has already been issued, i think one of linux weaknesses is not having a toggle to simply turn on or off printing

i just install linux mint in w.e way it tells me to do so, i just hit next on everything when i install it, so lol i have no idea, im not having any issues so i'll just leave it alone
Fair enough. The procedure above is what I did. Some of it I already knew, but two parts of it were learned after looking up more info. I run my install of Mint with SU enabled, soo...
Posted on Reply
#31
Event Horizon
If you decide against removing cups-browsed there's a new update for it on Mint today containing a more complete fix.
Posted on Reply
Add your own comment
Oct 10th, 2024 07:11 EDT change timezone

New Forum Posts

Popular Reviews

Controversial News Posts