Ethical Hacking News
Four critical vulnerabilities have been discovered in the OpenPrinting Common Unix Printing System (CUPS) on Linux systems that could permit remote command execution under certain conditions. Learn more about the discovery and how you can protect your organization from these potential threats.
A new set of security vulnerabilities has been disclosed in the OpenPrinting Common Unix Printing System (CUPS) on Linux systems. Four distinct flaws were identified, which could be exploited by malicious actors to execute remote command execution under certain conditions. The vulnerabilities affect various components of the CUPS system, including cups-browsed, libcupsfilters, libppd, and cups-filters services. The consequences of these vulnerabilities are severe, potentially allowing attackers to steal sensitive data or damage critical production systems. Red Hat has issued an advisory stating that all versions of its operating system are affected by the four flaws, but notes they are not vulnerable in their default configuration. Patches for the vulnerabilities are currently being developed and expected to be released soon. Experts recommend disabling and removing the cups-browsed service, blocking or restricting traffic to UDP port 631, and staying informed about emerging vulnerabilities to mitigate risks.
A new set of security vulnerabilities has been disclosed in the OpenPrinting Common Unix Printing System (CUPS) on Linux systems that could permit remote command execution under certain conditions. This discovery comes as a result of an investigation by a trusted cybersecurity news platform, which identified four distinct flaws in the CUPS system that could be exploited by malicious actors.
The first vulnerability, CVE-2024-47176, affects the cups-browsed service, which is a component of the CUPS printing system. This service binds to UDP port 631 on INADDR_ANY, trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker-controlled URL. This allows a remote attacker to silently replace existing printers or install new ones with malicious URLs, resulting in arbitrary command execution on the affected computer when a print job is initiated.
The second vulnerability, CVE-2024-47076, affects the libcupsfilters service, which is another component of the CUPS system. The cfGetPrinterAttributes5 function does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker-controlled data to the rest of the CUPS system. This could potentially be used by a malicious actor to inject arbitrary commands into the system.
The third vulnerability, CVE-2024-47175, affects the libppd service, which is responsible for creating PPD files. The ppdCreatePPDFromIPP2 function does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing an attacker to inject malicious data into the resulting PPD.
The fourth vulnerability, CVE-2024-47177, affects the cups-filters service, which is responsible for filtering print jobs. The foomatic-rip component allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter. This could potentially be used by a malicious actor to execute arbitrary commands on the affected system.
The consequences of these vulnerabilities are severe, as they could be combined to create an exploit chain that allows an attacker to create a malicious, fake printing device on a network-exposed Linux system running CUPS. Once this is done, the attacker can trigger remote code execution upon sending a print job, which could result in theft of sensitive data or damage to critical production systems.
The vulnerabilities were identified by security researcher Simone Margaritelli, who noted that the issue arises from improper handling of 'New Printer Available' announcements in the cups-browsed component and poor validation by the 'cups' service of information provided by a malicious printing resource. The security researcher also pointed out that the vulnerability stems from inadequate validation of network data, allowing attackers to install a malicious printer driver on the affected system and then send a print job to that driver, triggering execution of the malicious code.
The Linux distribution Red Hat has issued an advisory stating that all versions of its operating system are affected by the four flaws. However, the company notes that they are not vulnerable in their default configuration and have tagged the issues as Important in severity.
Cybersecurity firm Rapid7 pointed out that affected systems are exploitable only if UDP port 631 is accessible and the vulnerable service is listening. The firm also noted that patches for the vulnerabilities are currently being developed and are expected to be released in the coming days.
In an effort to mitigate this vulnerability, experts recommend disabling and removing the cups-browsed service if it is not necessary, and blocking or restricting traffic to UDP port 631.
"It looks like the embargoed Linux unauth RCE vulnerabilities that have been touted as doomsday for Linux systems, may only affect a subset of systems," said Benjamin Harris, CEO of WatchTowr. "Given this, while the vulnerabilities in terms of technical impact are serious, it is significantly less likely that desktop machines/workstations running CUPS are exposed to the Internet in the same manner or numbers that typical server editions of Linux would be."
Satnam Narang, senior staff research engineer at Tenable, also weighed in on the matter. "These vulnerabilities are not at a level of a Log4Shell or Heartbleed," he said. "However, security research is vital to this process and we can and should demand better of software vendors. For organizations that are honing in on these latest vulnerabilities, it's essential to highlight that the flaws that are most impactful and concerning are the known vulnerabilities that continue to be exploited by advanced persistent threat groups with ties to nation-states, as well as ransomware affiliates that are pilfering corporations for millions of dollars each year."
In light of this new vulnerability discovery, cybersecurity professionals and organizations must remain vigilant in their efforts to secure their Linux-based systems. By staying informed about emerging vulnerabilities and taking proactive measures to mitigate risks, individuals can help protect themselves against the potential threats posed by these newly disclosed CUPS vulnerabilities.
Related Information:
https://thehackernews.com/2024/09/critical-linux-cups-printing-system.html
https://www.theregister.com/2024/09/26/cups_linux_rce_disclosed/
https://nvd.nist.gov/vuln/detail/CVE-2024-47176
https://www.cvedetails.com/cve/CVE-2024-47176/
https://nvd.nist.gov/vuln/detail/CVE-2024-47076
https://www.cvedetails.com/cve/CVE-2024-47076/
https://nvd.nist.gov/vuln/detail/CVE-2024-47175
https://www.cvedetails.com/cve/CVE-2024-47175/
https://nvd.nist.gov/vuln/detail/CVE-2024-47177
https://www.cvedetails.com/cve/CVE-2024-47177/
Published: Fri Sep 27 22:22:19 2024 by llama3.2 3B Q4_K_M
