In a recent release, the developers of Linux printing system CUPS disclosed fixing a selection of vulnerabilities. When successfully exploited, they can provide adversaries with the ability to execute arbitrary code. While requiring certain conditions to work, their sheer volume allows them to pick an appropriate one; there are also suspicions on these flaws exploited in the wild before the disclosure.
Four Linux CUPS Vulnerabilities Discovered
On September 26, 2024, rumors about a selection of flaws in Linux printing system CUPS appeared. Threat analysts on Twitter found the official announcement that stated the disclosure happening the next day, on September 27. And here it is – a pack of 4 RCE vulnerabilities of high severity, leeched inside the Common UNIX Printing System (CUPS).
CUPS is a printing management system, compatible with all *nix operating systems. Its purpose is to orchestrate communication with printing devices and manage printing queues. Among its capabilities is the ability to turn the system it runs in into a printing server. That is a rather convenient option for any corporation that has to deal with massive amounts of paperwork. And that is the reason why there is so much fuss about these flaws.
We begin with the most severe flaw – CVE-2024-47117 (CVSS 9.1), a command injection vulnerability. Under correct circumstances, it can let the adversaries to command the system to execute arbitrary code. The reason for such a behavior is an incorrect handling of PPD files: the software will execute FoomaticRIPCommandLine the value of parameter. With some tinkering, it is possible to tuck malicious code into that value, and make the system execute it.
What makes the trick possible is the next vulnerability, CVE-2024-47176 (CVSS 8.4). It stems from the lack of identity verification for the Internet Printing Package (IPP) sender. Long story short, CUPS network printing functionality for some reason trusts all the packages from all sources. Through this flaw, hackers can make the system send a printer info request to a remote server. And, as you could have already guessed, hackers will in the end be able to create a fake printer instance, that they fully control. This way, it is possible to gain persistence in the network printing environment and execute arbitrary code.
Auxiliary Vulnerabilities
This IPP verification vulnerability is accompanied by two other flaws, CVE-2024-47175 and CVE-2024-47076 (CVSS 8.6 for both). They allow the aforementioned PPD files to introduce malicious code into other elements of the CUPS system, consequently expanding the presence in the network. Once again, the problem stems from absence of proper input sanitization: libppd function of CUPS system takes the input from the PPD files “as is”, executing the code shall the one be present in the parameter. But, as analysts say, these two vulnerabilities are not stand-alone, and are effective only when combined with one or both flaws from the above.
Possible Exploitation In The Wild
There are several signs that can hint the exploitation of the flaws in real-world attacks. Proof of concept exploits for the corresponding vulnerabilities appeared on GitHub several days ahead of the disclosure. The list of PoC GitHub repositories was posted on the famous underground forum Breachforum, with quite a discussion below it.
Sure enough, that is not enough to say about any active exploitation at the moment. But the very fact of PoC exploits being broadly available makes it much easier to do, even for less experienced hackers. And trust me, among cybercrime groups, low qualification is not an often occasion: they will modify available exploits and put them to use.
Fixes for Linux CUPS Vulnerabilities Released
Simultaneously with the disclosure, OpenPrinting, the developer of the software suite, released the potential mitigation for the problem. Yes, you read it correctly: there is no official patch available, only the way to prevent the flaw from being exploited. To do this, they offer to stop a specific CUPS service that contains the pesky bug. That is possible to do with a couple of Linux commands:
sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed
That will disable the vulnerable service from running. In fact, this is a fortunate element of all this story: despite being rather dangerous, the threat is easily blocked by disabling the flawed service. But it is not a hacker-proof option: if adversaries already established a presence in the environment, it won’t be too hard to launch the vulnerable service back. And since the vulnerability can be effective in lateral movement, attackers can easily target it for this specific purpose.
