• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

New Linux RCE Vulnerability Leaks Ahead of Disclosure - Allows Arbitrary Code Execution via CUPS Print Scheduler

Cpt.Jank

Staff
Staff member
Joined
Aug 30, 2024
Messages
55 (0.73/day)
A new vulnerability was recently discovered in a widely used print server that is installed by default on many Linux and Unix-based systems with a graphical user interface. The primary attack vector for the vulnerability is the CUPS (Common Unit Printing System) print scheduler, specifically cups-browsed, and has the potential to execute code remotely with zero user interaction required.

The vulnerability has reportedly been given a CVSS score of 9.9 by RHEL and Canonical, although this score is hotly debated, with some arguing it should have a lower score, because, although code can be remotely downloaded to the system, it cannot be executed without user intervention. Fortunately, there is no evidence of the vulnerability having been exploited, although the disclosure was leaked online ahead of a planned private reveal in October, prompting the developer that discovered the vulnerability to post the full explanation in a write-up on their blog. This being the case, the vulnerability could very well start being exploited by malicious actors.



According to the lengthy blog post by the researcher, Simone Margaritelli, services related to the CUPS printing system on are vulnerable to remote code execution. Essentially, an attacking system convinces the print scheduler that it is a printer and sends over malware—which can be arbitrary executable code—that is disguised as a printer configuration file. This process requires no user intervention, since CUPS will accept any packet sent via port *:631. The next time the user attempts to print something, that code can be executed, potentially compromising the system.

Summary
  • CVE-2024-47176 | cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker controlled URL.
  • CVE-2024-47076 | libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker controlled data to the rest of the CUPS system.
  • CVE-2024-47175 | libppd <= 2.1b1 ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker controlled data in the resulting PPD.
  • CVE-2024-47177 | cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter.

The specific exploit depends on a host of unpatched vulnerabilities, some over a decade old, making this a particularly concerning issue for those using Linux or Unix-based. For this attack vector to work, the system needs to have CUPS (Common Unix Printing System) and cups-browsed installed and running, which is the default for a lot of systems. According to Margaritelli, there are 200,000-300,000 systems with the print service currently connected to the internet, although Shodan reports (see above screenshot) that there are around 76,000 systems with open CUPS ports connected to the internet.

While the researcher claims that most GNU/Linux distributions—as well as potentially ChromeOS and macOS—are affected, it should be noted that it is not the default configuration for many Linux distributions, and it especially shouldn't be the case for any large-scale servers or data centers, meaning the largest target group would be private PC users running Linux.

View at TechPowerUp Main Site | Source
 
Joined
Jan 10, 2011
Messages
1,443 (0.29/day)
Location
[Formerly] Khartoum, Sudan.
System Name 192.168.1.1~192.168.1.100
Processor AMD Ryzen5 5600G.
Motherboard Gigabyte B550m DS3H.
Cooling AMD Wraith Stealth.
Memory 16GB Crucial DDR4.
Video Card(s) Gigabyte GTX 1080 OC (Underclocked, underpowered).
Storage Samsung 980 NVME 500GB && Assortment of SSDs.
Display(s) ViewSonic VA2406-MH 75Hz
Case Bitfenix Nova Midi
Audio Device(s) On-Board.
Power Supply SeaSonic CORE GM-650.
Mouse Logitech G300s
Keyboard Kingston HyperX Alloy FPS.
VR HMD A pair of OP spectacles.
Software Ubuntu 24.04 LTS.
Benchmark Scores Me no know English. What bench mean? Bench like one sit on?
Ok, so disabling CUPS seems the order of the day.
Or update your system. My 24.04 got the patches yesterday's afternoon.
Although I did disable it as well, don't need printing. And I already have ufw on, which blocks inbound connections by default.
 
Joined
Jul 31, 2024
Messages
303 (2.89/day)
The bug report in my words.

Read the config files and change them after installing a package. This was not done!
Only install packages you need.
The news title is wrong. Cups is not broken. Cups-browsed is broken. My gentoo box has the cups-browsed package not installed - but i can print and i can print to pdf.

The bad attitude of bug readers. The bad attitude of many when hinting out issues.

I recommend to make those bugs instantly public after 3 calendar days.

I want to thanks the person who wrote up how he found it.
 
Joined
Jan 14, 2019
Messages
12,337 (5.79/day)
Location
Midlands, UK
System Name Nebulon B
Processor AMD Ryzen 7 7800X3D
Motherboard MSi PRO B650M-A WiFi
Cooling be quiet! Dark Rock 4
Memory 2x 24 GB Corsair Vengeance DDR5-4800
Video Card(s) AMD Radeon RX 6750 XT 12 GB
Storage 2 TB Corsair MP600 GS, 2 TB Corsair MP600 R2
Display(s) Dell S3422DWG, 7" Waveshare touchscreen
Case Kolink Citadel Mesh black
Audio Device(s) Logitech Z333 2.1 speakers, AKG Y50 headphones
Power Supply Seasonic Prime GX-750
Mouse Logitech MX Master 2S
Keyboard Logitech G413 SE
Software Bazzite (Fedora Linux) KDE
Why does the print port have to be connected to the internet anyway?
 
Joined
Jun 29, 2018
Messages
534 (0.23/day)
The bug report in my words.

Read the config files and change them after installing a package. This was not done!
Only install packages you need.
The news title is wrong. Cups is not broken. Cups-browsed is broken. My gentoo box has the cups-browsed package not installed - but i can print and i can print to pdf.

The bad attitude of bug readers. The bad attitude of many when hinting out issues.

I recommend to make those bugs instantly public after 3 calendar days.

I want to thanks the person who wrote up how he found it.
This issue is absolutely a CUPS bug.
Not the part that it listens to IPP announcement packets by default - Windows (in Private networks) and macOS do this as well in order to meet user expectations that connecting a modern networked printer will make it magically appear in systems on said network.
The broken part is parsing of those IPP packets in CUPS which leads to RCE because there isn't enough sanitization done on the data they carry. The person who discovered those bugs wrote in the blog that what was made public aren't the only problems he found, so we can expect more reports, and that macOS is also affected.
Just because your custom Gentoo installation doesn't include cups-browsed doesn't mean that it isn't installed by default by more mainstream distributions like Ubuntu, because it is.

Why does the print port have to be connected to the internet anyway?
It shouldn't, in theory.
I think that those detected computers might be Ubuntu or any other mainstream desktop Linux distribution that has been installed on a server instead of using a server distribution. Since Ubuntu installs the vulnerable component by default in their desktop variant, their users might simply not know it's even there. Not everyone is a Linux expert, and installation of a desktop distribution on server that's directly Internet-facing suggests that they aren't either.
In my opinion the automatic discovery should be limited to private networks only, just like it is on Windows. That's an issue of CUPS configuration which is on the distribution maintainer, but it's no excuse for the lax parsing of IPP packets in CUPS.
 
Last edited:
Joined
Jan 14, 2019
Messages
12,337 (5.79/day)
Location
Midlands, UK
System Name Nebulon B
Processor AMD Ryzen 7 7800X3D
Motherboard MSi PRO B650M-A WiFi
Cooling be quiet! Dark Rock 4
Memory 2x 24 GB Corsair Vengeance DDR5-4800
Video Card(s) AMD Radeon RX 6750 XT 12 GB
Storage 2 TB Corsair MP600 GS, 2 TB Corsair MP600 R2
Display(s) Dell S3422DWG, 7" Waveshare touchscreen
Case Kolink Citadel Mesh black
Audio Device(s) Logitech Z333 2.1 speakers, AKG Y50 headphones
Power Supply Seasonic Prime GX-750
Mouse Logitech MX Master 2S
Keyboard Logitech G413 SE
Software Bazzite (Fedora Linux) KDE
Installed the security fix for this yesterday. I had cups-browsed installed by default. Latest Linux Mint.
So it already has a fix? That's good to know. :)
 
Joined
Sep 26, 2022
Messages
2,026 (2.60/day)
Location
Brazil
System Name G-Station 1.17 FINAL
Processor AMD Ryzen 7 5700X3D
Motherboard Gigabyte X470 Aorus Gaming 7 WiFi
Cooling DeepCool AK620 Digital
Memory Asgard Bragi DDR4-3600CL14 2x16GB
Video Card(s) Sapphire PULSE RX 7900 XTX
Storage 240GB Samsung 840 Evo, 1TB Asgard AN2, 2TB Hiksemi FUTURE-LITE, 320GB+1TB 7200RPM HDD
Display(s) Samsung 34" Odyssey OLED G8
Case Thermaltake Level 20 MT
Audio Device(s) Astro A40 TR + MixAmp
Power Supply Cougar GEX X2 1000W
Mouse Razer Viper Ultimate
Keyboard Razer Huntsman Elite (Red)
Software Windows 11 Pro
Because why would Windows get all the fun of having a bunch of security holes because of stupid printer software :D
When/wherever there's printers involved, there's hell to follow.
 
Joined
Nov 4, 2005
Messages
11,966 (1.72/day)
System Name Compy 386
Processor 7800X3D
Motherboard Asus
Cooling Air for now.....
Memory 64 GB DDR5 6400Mhz
Video Card(s) 7900XTX 310 Merc
Storage Samsung 990 2TB, 2 SP 2TB SSDs, 24TB Enterprise drives
Display(s) 55" Samsung 4K HDR
Audio Device(s) ATI HDMI
Mouse Logitech MX518
Keyboard Razer
Software A lot.
Benchmark Scores Its fast. Enough.
Print vulnerabilities existed in Windows for years and they were ignored for user convenience and so cheap printers could be made
 
Joined
Jul 5, 2013
Messages
27,542 (6.64/day)
@Easy Rhino @Solaris17

what is the command line I need to use to disable this and printer entirely in Linux Mint 22? I don't even need printing capability for my laptop, i'd rather it just be gone entirely to mitigate any security issues.
First you need to stop the CUPS service;

systemctl stop cups

Then you need to disable all of the associated systemd services;

systemctl disable cups.service cups.socket cups.path

Then you need to mask it so nothing else starts it;

systemctl mask cups

Then after a reboot you can make sure this procedure was successful by checking the status;

systemctl status cups
 
Last edited:

Space Lynx

Astronaut
Joined
Oct 17, 2014
Messages
17,119 (4.65/day)
Location
Kepler-186f
First you need to stop the CUPS service;

systemctl stop cups

Then you need to disable all of the associated systemd services;

systemctl disable cups.service cups.socket cups.path

Then you need to mask it so nothing else starts it;

systemctl mask cups

Then after a reboot you can make sure this procedure was successful by checking the status;

systemctl status cups

ty, i just updated linux mint 22 about an hr ago and i noticed CUPS had an update on there, so i wonder if they already patched this out?

i think im still going to do this though, because i literally have no need for a printer for my work laptop
 
Joined
Jul 5, 2013
Messages
27,542 (6.64/day)
ty, i just updated linux mint 22 about an hr ago and i noticed CUPS had an update on there, so i wonder if they already patched this out?

i think im still going to do this though, because i literally have no need for a printer for my work laptop
Yeah better safe than sorry, especially if you're not using it.
 
Joined
Aug 20, 2007
Messages
21,432 (3.40/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
Why does the print port have to be connected to the internet anyway?
It has to be connected to the network, not the internet. Feel free to firewall it.
 

Space Lynx

Astronaut
Joined
Oct 17, 2014
Messages
17,119 (4.65/day)
Location
Kepler-186f
It has to be connected to the network, not the internet. Feel free to firewall it.

doesn't it automatically connect to the printer on your local network? i know when i installed linux mint 22 when it launched, it showed my dads HP printer already ready to go, and I did NOT give it permission to add a printer, that is one thing I do like about windows, it does not automatically add a printer unless i ask it to find one.

so if im traveling with my work laptop... connecting to various wifi networks, gg ?
 
Joined
Jun 29, 2018
Messages
534 (0.23/day)
doesn't it automatically connect to the printer on your local network? i know when i installed linux mint 22 when it launched, it showed my dads HP printer already ready to go, and I did NOT give it permission to add a printer, that is one thing I do like about windows, it does not automatically add a printer unless i ask it to find one.
CUPS used the exact mechanism which bugs discussed in this thread affect to add that HP printer automatically.
Windows does this as well, but only on networks marked as "Private". When you first connect to a new network it will ask if you want to enable this feature for said network.
so if im traveling with my work laptop... connecting to various wifi networks, gg ?
Yes, CUPS as shipped by most distributions will do this on any network. It's part of the reason this got a 9.9/10 rating. It's a configuration problem that should be resolved by distribution maintainers. It can be changed by the user, but most don't even know this is happening.

I was wondering if IPTables would work.. Wouldn't CUPS just tunnel through another connected service?
This issue requires CUPS to listen on the * address (meaning all local IPv4 and v6 addresses), UDP port 631, for printers (or "printers") to connect to it. If you forbid external incoming connections to it by using iptables it will solve the issue. A side effect is disablement of the automatic printer discovery mechanism. Such configuration will still allow you to use external printers by manually adding them since then CUPS is connecting to the printer, as in it's an outgoing connection.
 

Space Lynx

Astronaut
Joined
Oct 17, 2014
Messages
17,119 (4.65/day)
Location
Kepler-186f
CUPS used the exact mechanism which bugs discussed in this thread affect to add that HP printer automatically.
Windows does this as well, but only on networks marked as "Private". When you first connect to a new network it will ask if you want to enable this feature for said network.

Yes, CUPS as shipped by most distributions will do this on any network. It's part of the reason this got a 9.9/10 rating. It's a configuration problem that should be resolved by distribution maintainers. It can be changed by the user, but most don't even know this is happening.


This issue requires CUPS to listen on the * address (meaning all local IPv4 and v6 addresses), UDP port 631, for printers (or "printers") to connect to it. If you forbid external incoming connections to it by using iptables it will solve the issue. A side effect is disablement of the automatic printer discovery mechanism. Such configuration will still allow you to use external printers by manually adding them since then CUPS is connecting to the printer, as in it's an outgoing connection.

ty for this, very informative. I honestly have no need for a printer, so I will just follow the steps from Lex and remove the entire CUPS thingy in terminal
 

NoLoihi

New Member
Joined
Sep 15, 2024
Messages
8 (0.13/day)
I honestly have no need for a printer, so I will just follow the steps from Lex and remove the entire CUPS thingy in terminal
Just to make obvious things obvious, if you don’t want that software at all, uninstall it via your package manager. In addition to that, if you mask a service, you won’t need to disable it.
 
Top