Developers of the Linux printing system CUPS recently disclosed several vulnerabilities that could allow attackers to execute arbitrary code. Although these flaws require specific conditions to be exploited, their high volume raises concerns about potential real-world exploitation prior to the announcement.
On September 26, 2024, rumors about these flaws circulated on Twitter, and an official announcement confirmed on September 27 revealed four high-severity RCE vulnerabilities in CUPS.
All about the Linux CUPS vulnerabilities
CVE-2024-47117 (CVSS 9.1) is a command injection vulnerability that can allow attackers to execute arbitrary code by improperly handling PPD files. This happens when the software executes the FoomaticRIPCommandLine parameter, which can be manipulated to run malicious code.
This exploitation is possible due to CVE-2024-47176 (CVSS 8.4), which lacks identity verification for Internet Printing Protocol (IPP) senders. CUPS mistakenly trusts all packages from any source, enabling hackers to send a printer info request to a remote server. This could lead to the creation of a fake printer instance under their control, allowing them to gain persistence in the network printing environment and execute arbitrary code.
The IPP verification vulnerability is accompanied by two other flaws, CVE-2024-47175 and CVE-2024-47076 (CVSS 8.6). These allow malicious PPD files to inject harmful code into other parts of the CUPS system, expanding their network presence. The problem arises from improper input sanitization, as the libppd function executes any code in the PPD file input “as is.” Analysts state these vulnerabilities are effective only when combined with one or both of the earlier flaws.
Fixes for Linux CUPS
Along with the disclosure, OpenPrinting released potential mitigation measures for the vulnerabilities. There is no official patch; instead, they suggest stopping a specific CUPS service that contains the bug. This can be done with the following Linux commands:
sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed
Disabling this vulnerable service is a fortunate aspect of the situation, as it can effectively block the threat. However, it’s not foolproof; if attackers have already gained access to the environment, they could easily restart the vulnerable service and exploit it for lateral movement.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment