Remote Code Execution Vulnerabilities Discovered in CUPS Affecting UNIX Systems

Introduction

On September 26, 2024, a detailed disclosure outlined critical vulnerabilities in the Common UNIX Printing System (CUPS) that enable remote code execution (RCE) on UNIX systems, including various GNU/Linux distributions. The disclosure, covering multiple CVEs, highlights the severity of these vulnerabilities and their widespread impact across public and private networks. This write-up explores the technical details, impact, and remediation of these vulnerabilities, offering insight into a major security concern for UNIX-based systems.

Report Overview

CUPS is a widely used printing system for UNIX-like operating systems that allows a computer to act as a print server. It uses the Internet Printing Protocol (IPP) for printing services, making it a crucial component for many devices. The vulnerabilities disclosed by the researcher revolve around the cups-browsed service, which manages printer discovery and configuration via UDP port 631.

Two key vulnerabilities (CVE-2024-47176 and CVE-2024-47076) were identified in the cups-browsed and libcupsfilters packages. These vulnerabilities allow an attacker to inject malicious printer attributes that trigger RCE when a print job is initiated. A third flaw (CVE-2024-47175) enables an attacker to manipulate temporary PPD (PostScript Printer Description) files, further escalating the severity of the attack.

Technical Details

The root of the issue lies in the fact that cups-browsed listens on UDP port 631 without any authentication. An attacker can send a specially crafted UDP packet to any UNIX-based machine running this service, which will silently add a printer with a malicious IPP URL. Once the printer is added, initiating a print job triggers arbitrary command execution on the target system.

The following CVEs were identified:

• CVE-2024-47176: cups-browsed <= 2.0.1 listens on UDP port 631 and allows attackers to send malicious IPP requests from any source.
• CVE-2024-47076: libcupsfilters <= 2.1b1 does not properly sanitize IPP attributes, passing attacker-controlled data into the CUPS system.
• CVE-2024-47175: libppd <= 2.1b1 writes unvalidated IPP attributes into PPD files, leading to command injection via the FoomaticRIPCommandLine parameter.

The exploitation process is relatively straightforward. An attacker sends a crafted UDP packet that causes the target system to fetch printer attributes from a malicious server. These attributes include unescaped text fields that get written to a temporary PPD file. The PPD file includes directives, such as FoomaticRIPCommandLine, that allow arbitrary command execution when a print job is initiated.

Impact Assessment

The potential consequences of these vulnerabilities are severe. A remote attacker can gain full control of a UNIX-based system without authentication. By sending a single UDP packet, they can install a rogue printer that executes arbitrary commands on the system when any print job is started. The attack is especially concerning for devices directly exposed to the public internet, but it can also be exploited locally via spoofed DNS or mDNS advertisements.

The researcher reported discovering hundreds of thousands of affected devices by scanning the public internet, emphasizing the wide reach of these vulnerabilities. Given that CUPS is packaged for most UNIX systems and enabled by default on some, the risk is substantial, potentially impacting Linux distributions, BSD systems, and even some Solaris and ChromeOS devices.

Insights and Analysis

The disclosure process highlighted significant challenges in coordinating with developers and CERT teams. Despite multiple reports, the researcher faced resistance and delays in patching these vulnerabilities. It took weeks for the issues to be acknowledged, with fixes only starting after public exposure via social media.

The vulnerabilities have been assigned a CVSS score of 9.9 due to their ease of exploitation and the critical nature of the affected systems. However, full remediation and mitigation may take time as the scope of the vulnerabilities is still being assessed across various UNIX-based platforms.

To mitigate these vulnerabilities, administrators should take the following steps:

1. Disable cups-browsed: If the service is not required, it should be disabled and removed from the system.
2. Update CUPS packages: Ensure all systems are running the latest version of CUPS, with the appropriate patches applied.
3. Block UDP Port 631: If updating the system is not immediately possible, block all traffic to UDP port 631, especially from untrusted networks.
4. Disable mDNS/zeroconf: If your system relies on zeroconf for device discovery, consider alternative methods or disable it altogether to prevent local network spoofing attacks.

These vulnerabilities highlight the importance of continuous monitoring and patching, especially for widely used open-source software like CUPS. With the increasing prevalence of RCE attacks, staying ahead of potential exploits is crucial for maintaining secure environments.

Indicators of Compromise (IOCs)

MITRE ATT&CK Mapping

References

Attacking UNIX Systems via CUPS, Part I

Hello friends, this is the first of two, possibly three (if and when I have time to finish the Windows research) writeups. We will start with targeting GNU/Linux systems with an RCE. As someone who’s

evilsocketSimone Margaritelli