A brand new set of security vulnerabilities has been disclosed within the OpenPrinting Frequent Unix Printing System (CUPS) on Linux methods that would allow distant command execution below sure circumstances.
“A distant unauthenticated attacker can silently exchange current printers’ (or set up new ones) IPP urls with a malicious one, leading to arbitrary command execution (on the pc) when a print job is began (from that laptop),” security researcher Simone Margaritelli stated.
CUPS is a standards-based, open-source printing system for Linux and different Unix-like working methods, together with ArchLinux, Debian, Fedora, Purple Hat Enterprise Linux (RHEL), ChromeOS, FreeBSD, NetBSD, OpenBSD, openSUSE, and SUSE Linux.
The record of vulnerabilities is as follows –
- CVE-2024-47176 – cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any supply to set off a Get-Printer-Attributes IPP request to an attacker-controlled URL
- CVE-2024-47076 – libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 doesn’t validate or sanitize the IPP attributes returned from an IPP server, offering attacker-controlled information to the remainder of the CUPS system
- CVE-2024-47175 – libppd <= 2.1b1 ppdCreatePPDFromIPP2 doesn’t validate or sanitize the IPP attributes when writing them to a short lived PPD file, permitting the injection of attacker-controlled information within the ensuing PPD
- CVE-2024-47177 – cups-filters <= 2.0.1 foomatic-rip permits arbitrary command execution through the FoomaticRIPCommandLine PPD parameter
A internet consequence of those shortcomings is that they may very well be customary into an exploit chain that enables an attacker to create a malicious, pretend printing machine on a network-exposed Linux system working CUPS and set off distant code execution upon sending a print job.
“The problem arises on account of improper dealing with of ‘New Printer Obtainable’ bulletins within the ‘cups-browsed’ part, mixed with poor validation by ‘cups’ of the data supplied by a malicious printing useful resource,” community security firm Ontinue stated.
“The vulnerability stems from insufficient validation of community information, permitting attackers to get the susceptible system to put in a malicious printer driver, after which ship a print job to that driver triggering execution of the malicious code. The malicious code is executed with the privileges of the lp consumer – not the superuser ‘root.'”
RHEL, in an advisory, stated all variations of the working system are affected by the 4 flaws, however famous that they don’t seem to be susceptible of their default configuration. It tagged the problems as Necessary in severity, provided that the real-world impression is more likely to be low.
“By chaining this group of vulnerabilities collectively, an attacker may doubtlessly obtain distant code execution which may then result in theft of delicate information and/or injury to important manufacturing methods,” it stated.
Cybersecurity agency Rapid7 identified that affected methods are exploitable, both from the general public web or throughout community segments, provided that UDP port 631 is accessible and the susceptible service is listening.
Palo Alto Networks has disclosed that none of its merchandise and cloud providers comprise the aforementioned CUPS-related software program packages, and subsequently usually are not impacted by the issues.
Patches for the vulnerabilities are at present being developed and are anticipated to be launched within the coming days. Till then, it is advisable to disable and take away the cups-browsed service if it is not crucial, and block or limit site visitors to UDP port 631.
“It seems to be just like the embargoed Linux unauth RCE vulnerabilities which have been touted as doomsday for Linux methods, could solely have an effect on a subset of methods,” Benjamin Harris, CEO of WatchTowr, stated in an announcement shared with The Hacker Information.
“Given this, whereas the vulnerabilities when it comes to technical impression are severe, it’s considerably much less probably that desktop machines/workstations working CUPS are uncovered to the Web in the identical method or numbers that typical server editions of Linux could be.”
Satnam Narang, senior employees analysis engineer at Tenable, stated these vulnerabilities usually are not at a stage of a Log4Shell or Heartbleed.
“The fact is that throughout quite a lot of software program, be it open or closed supply, there are a numerous variety of vulnerabilities which have but to be found and disclosed,” Narang stated. “Safety analysis is significant to this course of and we are able to and may demand higher of software program distributors.”
“For organizations which can be honing in on these newest vulnerabilities, it is essential to focus on that the issues which can be most impactful and regarding are the recognized vulnerabilities that proceed to be exploited by superior persistent risk teams with ties to nation states, in addition to ransomware associates which can be pilfering firms for hundreds of thousands of {dollars} every year.”
