Vulnerabilities in CUPS: A Security Concern
Recent findings have revealed that under specific circumstances, attackers can exploit a series of vulnerabilities within the CUPS (Common UNIX Printing System) to execute arbitrary code on susceptible machines remotely. These vulnerabilities are identified as CVE-2024-47076 (libcupsfilters), CVE-2024-47175 (libppd), CVE-2024-47176 (cups-browsed), and CVE-2024-47177 (cups-filters). The discovery was made by Simone Margaritelli and is detailed further here. Importantly, these security issues do not impact systems operating under their default configurations.
CUPS is the predominant printing system utilized across Linux platforms and is also supported on various Unix-like operating systems such as FreeBSD, NetBSD, OpenBSD, and their derivatives.
Understanding CUPS Components
One critical component of CUPS is the cups-browsed daemon. This service scans local networks for shared or advertised printers, making them accessible for printing tasks on connected devices. This functionality mirrors how Windows and macOS systems discover network printers.
Margaritelli’s research indicates that if the cups-browsed daemon is activated—though it typically remains disabled by default—it listens on UDP port 631. By default settings, it permits remote connections from any device within the network to create new printer entries.
The researcher demonstrated that he could craft a malicious PostScript Printer Description (PPD) file which could be manually advertised to an exposed cups-browsed service running on UDP port 631. Consequently, this action leads to the automatic installation of a harmful printer on the remote machine. If a user prints using this newly created printer, any malicious commands embedded in the PPD will execute locally.
The execution command during printing utilizes a foomatic-rip filter—a tool designed to ensure print jobs are rendered accurately by executing necessary commands on devices.
!Commands added using foomatic-rip filter
Commands added using foomatic-rip filter (Simone Margaritelli)
Assessing Real-world Impact
Despite being classified as a chain of remote code execution vulnerabilities, it’s crucial to recognize that several barriers must be overcome for an attacker to successfully exploit these flaws and achieve remote code execution.
Firstly, targeted systems need to have cups-browsed enabled—an option rarely active in standard configurations—to expose their UDP ports over networks. Secondly, attackers must deceive users into initiating print jobs from malicious printer servers that unexpectedly appear within their local environment.
Ilkka Turunen from Sonatype explains: “This vulnerability relies heavily on spoofing a local network printer which gets automatically added through network discovery—if enabled at all—which it usually isn’t in its default state.” He further notes that while this represents an RCE risk with multiple mitigations required for exploitation—including needing access via UDP connections—the overall real-world impact appears minimal due to these constraints.
Given these factors, Red Hat has categorized these vulnerabilities with an “Important” severity rating rather than critical status due to limited exposure risks associated with them.
In practical tests conducted by BleepingComputer’s team across various Linux servers showed most did not have this service enabled; however one Ubuntu virtual machine did exhibit it being active by default—a situation echoed by other users who reported similar findings online regarding defaults set across different distributions.
Mitigation Strategies Available
While official patches are still forthcoming from developers addressing these vulnerabilities directly; Red Hat has provided interim mitigation strategies aimed at administrators wishing to safeguard their environments against potential exploits:
To disable cups-browsed immediately:
sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed
Administrators can verify whether cups-browsed is currently operational with:
sudo systemctl status cups-browsed
If results indicate “Active: inactive (dead),” then your system remains secure against exploitation attempts related specifically through this vector; conversely if you see “running” or “enabled,” particularly where configuration files like /etc/cups/cups-browsed.conf include directives allowing browsing protocols such as “cups,” then your setup may indeed be vulnerable.
I AM A HIGHSCHOOL STUDENT . BEING CREATIVE I LIKE TO WRITE A LOT OF GOOD CONTENT . I HAVE WRITTEN SO MANY ARTICLES,ESSAYS AND STORIES IN MY LIFE AND I AM PASSIONATE TO CONTINUE DOING IT . I MAINLY WRITE ARTICLES ON TRENDING TOPICS AND I ALSO ENJOYING READING ARTICLES .
