A brand new set of safety vulnerabilities has been disclosed within the OpenPrinting Frequent Unix Printing System (CUPS) on Linux methods that might allow distant command execution beneath sure circumstances.
“A distant unauthenticated attacker can silently substitute present printers’ (or set up new ones) IPP urls with a malicious one, leading to arbitrary command execution (on the pc) when a print job is began (from that pc),” safety researcher Simone Margaritelli mentioned.
CUPS is a standards-based, open-source printing system for Linux and different Unix-like working methods, together with ArchLinux, Debian, Fedora, Purple Hat Enterprise Linux (RHEL), ChromeOS, FreeBSD, NetBSD, OpenBSD, openSUSE, and SUSE Linux.
The checklist of vulnerabilities is as follows –
- CVE-2024-47176 – cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any supply to set off a Get-Printer-Attributes IPP request to an attacker-controlled URL
- CVE-2024-47076 – libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 doesn’t validate or sanitize the IPP attributes returned from an IPP server, offering attacker-controlled knowledge to the remainder of the CUPS system
- CVE-2024-47175 – libppd <= 2.1b1 ppdCreatePPDFromIPP2 doesn’t validate or sanitize the IPP attributes when writing them to a short lived PPD file, permitting the injection of attacker-controlled knowledge within the ensuing PPD
- CVE-2024-47177 – cups-filters <= 2.0.1 foomatic-rip permits arbitrary command execution through the FoomaticRIPCommandLine PPD parameter
A internet consequence of those shortcomings is that they might be normal into an exploit chain that permits an attacker to create a malicious, faux printing machine on a network-exposed Linux system operating CUPS and set off distant code execution upon sending a print job.
“The problem arises on account of improper dealing with of ‘New Printer Obtainable’ bulletins within the ‘cups-browsed’ part, mixed with poor validation by ‘cups’ of the knowledge offered by a malicious printing useful resource,” community safety firm Ontinue mentioned.
“The vulnerability stems from insufficient validation of community knowledge, permitting attackers to get the susceptible system to put in a malicious printer driver, after which ship a print job to that driver triggering execution of the malicious code. The malicious code is executed with the privileges of the lp person – not the superuser ‘root.'”
RHEL, in an advisory, mentioned all variations of the working system are affected by the 4 flaws, however famous that they aren’t susceptible of their default configuration. It tagged the problems as Vital in severity, on condition that the real-world influence is prone to be low.
“By chaining this group of vulnerabilities collectively, an attacker might doubtlessly obtain distant code execution which might then result in theft of delicate knowledge and/or injury to crucial manufacturing methods,” it mentioned.
Cybersecurity agency Rapid7 identified that affected methods are exploitable, both from the general public web or throughout community segments, provided that UDP port 631 is accessible and the susceptible service is listening.
Palo Alto Networks has disclosed that none of its merchandise and cloud providers include the aforementioned CUPS-related software program packages, and subsequently should not impacted by the failings.
Patches for the vulnerabilities are at the moment being developed and are anticipated to be launched within the coming days. Till then, it is advisable to disable and take away the cups-browsed service if it isn’t needed, and block or limit visitors to UDP port 631.
“It seems just like the embargoed Linux unauth RCE vulnerabilities which were touted as doomsday for Linux methods, could solely have an effect on a subset of methods,” Benjamin Harris, CEO of WatchTowr, mentioned in an announcement shared with The Hacker Information.
“Given this, whereas the vulnerabilities when it comes to technical influence are critical, it’s considerably much less seemingly that desktop machines/workstations operating CUPS are uncovered to the Web in the identical method or numbers that typical server editions of Linux can be.”
Satnam Narang, senior workers analysis engineer at Tenable, mentioned these vulnerabilities should not at a stage of a Log4Shell or Heartbleed.
“The fact is that throughout a wide range of software program, be it open or closed supply, there are a numerous variety of vulnerabilities which have but to be found and disclosed,” Narang mentioned. “Safety analysis is important to this course of and we will and will demand higher of software program distributors.”
“For organizations which can be honing in on these newest vulnerabilities, it is vital to focus on that the failings which can be most impactful and regarding are the identified vulnerabilities that proceed to be exploited by superior persistent risk teams with ties to nation states, in addition to ransomware associates which can be pilfering firms for hundreds of thousands of {dollars} every year.”