A new vulnerability was recently discovered in a widely used print server that is installed by default in many Linux and Unix-based graphical user interface systems. The primary attack vector for this vulnerability is the CUPS (Common Cell Printing System) print scheduler, specifically cups-browsed, which has the potential for remote code execution with zero user interaction required.
According to reports, RHEL and Canonical gave the vulnerability a CVSS score of 9.9, but this score sparked heated debate, with some arguing that it should have a lower score because although the code can be remotely downloaded to the system, it cannot be executed without user intervention. Fortunately, there is no evidence that the flaw has been exploited, although the disclosure leaked online ahead of its planned private disclosure in October, prompting the developer who discovered it to post a full explanation on his blog. In this case, malicious actors are likely to start exploiting the vulnerability.
According to a lengthy blog post by researcher SimoneMargaritelli, services related to the CUPS printing system are vulnerable to remote code execution. Essentially, the attacking system tricks the print scheduler into believing it is a printer and sends malware (potentially arbitrary executable code) disguised as a printer configuration file. This process requires no user intervention as CUPS will accept any packet sent via port *:631.
briefing:
CVE-2024-47176|cups-browsed<=2.0.1 binds on UDPINADDR_ANY:631, trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker-controlled URL.
CVE-2024-47076|libcupsfilters<=2.1b1cfGetPrinterAttributes5 does not validate or sanitize IPP attributes returned from the IPP server, providing attacker-controlled data to other parts of the CUPS system.
CVE-2024-47175|libppd<=2.1b1ppdCreatePPDFromIPP2 does not validate or sanitize IPP attributes when writing them to a temporary PPD file, allowing attacker-controlled data to be injected into the generated PPD.
CVE-2024-47177|cup-filters<=2.0.1foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLinePPD parameter.
The particular exploit relies on a large number of unpatched vulnerabilities, some of which are more than a decade old, so this is a particular concern for users with Linux or Unix-based systems. For this attack vector to work, the system needs to have CUPS (Common Unix Printing System) and cups-browsed installed and running, which is the default on many systems. According to Margaritelli, there are currently 200,000 to 300,000 systems connected to the Internet and providing printing services, but Shodan reports (see screenshot above) that there are approximately 76,000 systems with CUPS ports open and connected to the Internet.
While the researchers claim that most GNU/Linux distributions, as well as potentially ChromeOS and macOS, are affected, it should be noted that this is not the default configuration for many Linux distributions and especially should not be the configuration of any large servers or data centers, meaning the largest target group will be private PC users running Linux.