CUPS Security Flaws
Background
On 23rd September 2024, a zero-day vulnerability was highlighted by security researcher Simone Margaritelli in the Linux CUPS printing system, which gained widespread attention due to the unofficial CVSS severity rating of 9.9 allocated to it. Following the ever-growing attention and comparisons to catastrophic global security incidents such as Heartbleed and Log4J, further details emerged on the vulnerability, and the overall risk was found to be lower than first expected. However, the impact of a successful exploit is still agreed to be significant.
What is CUPS?
To fully understand the vulnerability, it is crucial to first examine the affected system - CUPS (Common Unix Printing System). CUPS is a modular printing system for Unix-like operating systems that manages print jobs and queues, enabling a computer to function as a print server. It translates page descriptions generated by applications, such as text, lines, and layout elements, into a format that printers can interpret, serving as an intermediary to ensure accurate and efficient printing. Additionally, it supports standard-based printing protocols and facilitates network printer sharing.
Attack Details
The criticality of the exploit is associated with the fact that, if exploited, the four vulnerabilities can allow for remote code execution on the affected system. These flaws, tracked as CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177, impact several components of CUPS, including libcupsfilters, libppd, and cups-browsed.
Initial Entry: Exploiting cups-browsed (CVE-2024-47176)
Although the default CUPS configuration is not inherently vulnerable due to the fact that the affected service (cups-browsed) is not enabled by default, enabling this service opens up UDP port 631, creating a potential attack vector. The cups-browsed daemon is designed to automatically detect and configure network printers by communicating with other machines, hence if exposed, attackers can exploit CVE-2024-47176 to force the addition of a malicious printer to the system, gaining a foothold.
Additionally, if an attacker gains access to the local network and the CUPS service is configured to use mDNS, they could potentially exploit the service through this protocol. However, such a configuration introduces further security risks that extend beyond this specific vulnerability.
Malicious Printer Registration and Configuration (CVE-2024-47076 & CVE-2024-47175)
Once the malicious printer is registered using the initial CVE, the libcupsfilters and libppd (PostScript Printer Description) libraries interact with it to request printer attributes and configuration files over the Internet Printing Protocol (IPP). Due to inadequate sanitization and validation, these libraries accept and process malicious attributes sent from the attacker's server, including a crafted .ppd file, which is then stored on the system. The crafted PPD file introduces configurations that the attacker can then leverage for executing unauthorised actions.
Arbitrary Command Execution Through cupsFilter2 (CVE-2024-47177)
The final stage involves leveraging the cupsFilter2 directive inside the malicious .ppd file. This directive controls which filter (executable) is run whenever a new print job is created. By injecting a specific filter command - such as foomatic-rip - which is vulnerable to arbitrary command injection, the attacker can execute arbitrary shell commands with the privileges of the cups process.
Due to this CVE essentially being the step which allows for remote code execution on the affected system, this is deemed as the critical exploit within the chain.
Exploitation Chain Summary
- Attacker connects to the cups-browsed service on UDP port 631 and coerces it to add a malicious printer (CVE-2024-47176).
- The victim’s machine retrieves unsanitised printer attributes via libcupsfilters and libppd (CVE-2024-47076 & CVE-2024-47175), storing a crafted .ppd file.
- The attacker exploits the cupsFilter2 directive in the .ppd file to execute arbitrary commands through the vulnerable foomatic-rip filter (CVE-2024-47177).
Detection and Indicators of Attack
The following should be reviewed in order to check for compromise and detect unusual activity:
- Review the status of UDP port 361:
sudo ss -lntup | grep 631
- Check the status of the 'cups-browsed' service:
sudo systemctl status cups-browsed
-
Check for the addition of unusual or unauthorised printers, which can typically be accessed via a local web browser: http://localhost:631
- Network traffic analysis to identify any unusual ingress and egress traffic on UDP port 631 which could indicate unauthorised access or data exfiltration.
Remediation and Mitigation
Note: The following commands are specific to Ubuntu-based systems using apt and systemd. For other distributions, adapt the commands accordingly.
The following efforts should be considered as protection against the vulnerabilities highlighted above:
- Disable or remove the cups-browsed service if not in use:
sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed
sudo apt-get remove --purge cups-browsed
- Restrict access to UDP port 631 by implementing firewall rules to mitigate exposure to the network or the internet. This can be done by using iptables or ufw:
sudo iptables -A INPUT -p udp --dport 631 -j DROP
sudo ufw deny from any to any port 631 proto udp
- Consider blocking DNS-SD and mDNS traffic if not required, to prevent against local attacks as mentioned previously.
Improve your security
Our experienced team will identify and address your most critical information security concerns.