Security researcher Simone Margaritelli recently uncovered four critical vulnerabilities in the Common Unix Printing System (CUPS), posing a significant risk of remote code execution on Linux systems.

Description

On September 26, 2024 [4], Margaritelli disclosed the vulnerabilities, identified as CVE-2024-47176 [3] [6], CVE-2024-47076 [1] [3] [6], CVE-2024-47175 [1] [3] [6], and CVE-2024-47177 [3] [6]. These vulnerabilities allow attackers to execute arbitrary commands on the target machine, with the most severe vulnerability, CVE-2024-47076 [1] [3] [6], having a CVSS score of 9.9 [2]. Attackers can exploit this vulnerability by injecting malicious data into the printing system through the cfGetPrinterAttributes5 function, sending crafted IPP packets over UDP port 631 or DNS-SD [1]. Systems with exposed cups-browsed services are particularly vulnerable, as attackers can gain full control by replacing IPP URLs with malicious ones or installing new printers. These vulnerabilities impact all versions of CUPS up to 2.1b1 and various Unix-like operating systems like Red Hat, Ubuntu [1] [5], and Apple. Enterprises relying on Linux systems for critical operations are at high risk [5], as attackers could exploit these vulnerabilities in automated internet-wide scans and install remote access Trojans (RATs) for persistent control [5].

Conclusion

Immediate patching and mitigation measures [1], such as disabling unnecessary services and implementing firewall rules, are crucial to prevent unauthorized access and control over systems using CUPS [1]. Enterprises must take proactive steps to secure their systems and protect against potential exploitation of these vulnerabilities.

References

[1] https://www.redlegg.com/blog/emergency-vulnerability-2024-09-30-linux-cups
[2] https://snyk.io/blog/zero-day-rce-in-cups-vulnerability-sept-2024/
[3] https://www.computerweekly.com/news/366611944/Printing-vulnerability-affecting-Linux-distros-raises-alarm
[4] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/what-we-know-so-far-about-zero-day-cups-vulnerabilities-cve-2024-47176-cve-2024-47076-cve-2024-47175-and-cve-2024-47177/
[5] https://www.infosecurity-magazine.com/news/rce-vulnerabilities-cups/
[6] https://www.techtarget.com/searchsecurity/news/366612232/CUPS-vulnerabilities-could-put-Linux-systems-at-risk