Critical CUPS Vulnerabilities: How to Protect Your Linux Systems Until Patches Arrive

Critical CUPS vulnerabilities in Linux systems allow remote attacks via printer services. Discover risks and mitigation strategies.

The Common Unix Printing System (CUPS) is an open-source printing system that supports various operating systems such as Linux, Unix-like systems (e.g., FreeBSD, OpenBSD, NetBSD), Google ChromeOS, and Oracle Solaris. Recently, researcher Simone Margaritelli disclosed vulnerabilities that pose significant risks to CUPS systems.

Critical CUPS Vulnerabilities: How to Protect Your Linux Systems Until Patches Arrive

These vulnerabilities tracked as CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177, can lead to remote code execution (RCE) if exploited under specific conditions.

Breakdown of the CUPS Vulnerabilities

1. CVE-2024-47076: This vulnerability in libcupsfilters allows attackers to send malicious data to CUPS by exploiting improperly sanitized IPP (Internet Printing Protocol) packets.

   • Severity: 8.6/10

2. CVE-2024-47175: Found in libppd, this vulnerability occurs when IPP attributes are not validated before being written to a PostScript Printer Description (PPD) file, allowing data injection.

   • Severity: 8.6/10

3. CVE-2024-47176: In cups-browsed, which manages network printers, UDP port 631 is left open, allowing any packet from any source to be trusted. It allows attackers to send requests to attacker-controlled URLs.

   • Severity: 8.4/10

4. CVE-2024-47177: In cup filters, an attacker can execute arbitrary commands via the FoomaticRIPCommandLine parameter in PPD files.

   • Severity: 9.1/10

How the Attack Works

The attack begins with a compromised cups-browsed service listening on UDP port 631. The attacker sends a crafted packet, which causes the system to retrieve malicious printer attributes from an attacker-controlled URL. These attributes are written to a PPD file, and when a print job is started, the attacker's commands are executed.

This type of attack requires user interaction to trigger the print job, so the serious vulnerability is not considered "catastrophic" like Log4Shell. However, it can impact vulnerable systems, especially in environments where printing services are frequently used.

Temporary Fixes Until Patches Are Released

To protect your systems until official patches are available, consider these steps:

1. Disable the cups-browsed service:

   Run these commands to stop and disable the service:

   sudo systemctl stop cups-browsed

   sudo systemctl disable --now cups-browsed

   It prevents the automatic discovery and addition of network printers, mitigating vulnerability.

2. Block UDP port 631:

   • Ensure that UDP port 631 is blocked using firewall rules. This will stop external attackers from accessing the CUPS service via the network.

3. Consider removing CUPS if your system does not require printing functionality, especially on server systems where CUPS may not be necessary.

4. Update CUPS: Regularly check for updates from your Linux distribution, such as Red Hat or Ubuntu, and apply patches as soon as they are released.

How the cups-browsed Daemon Contributes to the Vulnerability

The cups-browsed Daemon plays a critical role in managing network printer discovery. It listens on UDP port 631, and if enabled, it trusts packets from any source, which allows malicious data to be sent to the system. This unchecked trust allows attackers to silently replace existing printers with attacker-controlled URLs, leading to potential command execution once a print job is initiated.

Risks of Exposing UDP Port 631

Leaving UDP port 631 open to the public internet is highly risky. An attacker could send malicious packets to this port, triggering the vulnerabilities within cups-browsed. If this service is enabled and accessible, the attacker can introduce a fake printer to your network, which could lead to remote code execution (RCE) when someone prints to it.

Are Some Linux Distributions More Affected?

These vulnerabilities affect Most Linux distributions, including Red Hat, Ubuntu, Arch Linux, and others. Some systems, particularly desktop distributions, may have cups-browsed enabled by default, making them more vulnerable. Server systems, however, typically do not have CUPS enabled unless manually installed, reducing the risk.

Conclusion

The CUPS vulnerabilities present a critical risk, especially for systems where printing is frequently used. Though patches are not yet available, immediate mitigation can be achieved by disabling cups-browsed, blocking UDP port 631, and applying updates as soon as they are released. Stay vigilant and assess your systems' exposure to ensure they are protected.

This vulnerability might not be as severe as initial reports suggested, but taking action to prevent exploitation is still important. Keep an eye on updates from your distribution providers and implement the recommended mitigations promptly.