Security Update: Critical CUPS Vulnerability

A critical chained vulnerability (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177) has been detected within the open-source printing system CUPS (present in most Linux distributions). Attackers can achieve remote code execution, potentially leading to complete control of the vulnerable system. Detectify customers can assess whether their systems are running affected versions of CUPS.

Context and exploitability

On Thursday, September 26th, security researcher evilsocket published a write-up alongside a PoC that was published on a critical severity GNU/Linux unauthenticated RCE affecting the CUPS open-source printing system. 

Attackers can execute arbitrary code on a victim’s machine if the cups-browsed service is enabled by sending a malicious request to the vulnerable device (through an IPP server) on a network the victim has access to and getting the victim to run a print job from the affected device.

Am I vulnerable?

Detectify security researchers and engineers have released a product update that allows all Detectify Surface Monitoring customers to check whether their systems are running affected versions of CUPS. Users can visit the Overview page in the UI for a risk assessment indicator and they are advised to make sure that Surface Monitoring is active on the domains they want to verify.

Vulnerabilities discovered

The following four CVEs were assigned to CUPS vulnerabilities linked with this attack. When chained, attackers can potentially execute RCE (remote code execution):

• CVE-2024-47176. cups-browsed trusts all incoming network packets, enabling attackers to introduce malicious printers to the system. Particularly concerning as it can be exploited from the public internet (attacker controlled URL) potentially exposing a vast number of systems to remote attacks if their CUP services are enabled.
• CVE-2024-47076.  The function cfGetPrinterAttributes5 in the libcupsfilters library fails to sanitize IPP attributes received from an IPP server, potentially allowing attackers to introduce harmful data when these attributes are used.
• CVE-2024-47175. The function ppdCreatePPDFromIPP2 in the libppd library fails to sanitize IPP attributes, potentially allowing attackers to inject malicious code into the system.
• CVE-2024-47177. The entry FoomaticRIPCommandLine in the cups-filters library can trigger CUPS to execute any arbitrary commands injected into that file when a print job is sent to the affected device.

Detection and remediation

Until patches are released, Detectify recommends the following mitigation steps for this issue:

1. Check if cups-browsed is running on your system.
   sudo systemctl status cups-browsed
2. Disable and remove the cups-browsed service if you don’t need it.
   sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed
   
3. Update the CUPS package on your systems. 
4. Block incoming traffic on port 631/tcp and port 631/udp, as well as DNS-SD traffic. 

Customers can always find updates in the “What’s New at Detectify” product log. Any questions can be directed to Customer Success representatives or Support. If you’re not already a customer, click here to sign up for a demo or a free trial and immediately start scanning. Go hack yourself!