A newly uncovered cluster of vulnerabilities within the OpenPrinting Common Unix Printing System (CUPS) on Linux-based infrastructures has the potential to facilitate remote command execution, given certain conditions are met.
“An unauthenticated adversary from a remote location can covertly substitute the existing printers’ IPP URLs (or install new ones), redirecting them to malicious destinations. This maneuver enables arbitrary command execution upon initiation of a print job from the targeted machine,” elucidated security specialist Simone Margaritelli.
CUPS, the standardized, open-source printing framework, is integral to various Linux and Unix-like ecosystems, including ArchLinux, Debian, Fedora, Red Hat Enterprise Linux (RHEL), ChromeOS, FreeBSD, NetBSD, OpenBSD, openSUSE, and SUSE Linux.
The disclosed vulnerabilities include:
- CVE-2024-47176 – cups-browsed ≤ 2.0.1 binds to UDP INADDR_ANY:631, allowing any packet from any origin to trigger a Get-Printer-Attributes IPP request directed toward an attacker-controlled URL.
- CVE-2024-47076 – libcupsfilters ≤ 2.1b1 cfGetPrinterAttributes5 lacks sufficient validation and sanitation of IPP attributes returned by an IPP server, inadvertently exposing CUPS to attacker-provided data.
- CVE-2024-47175 – libppd ≤ 2.1b1 ppdCreatePPDFromIPP2 fails to properly validate or sanitize IPP attributes when drafting a temporary PPD file, permitting attacker-controlled data to be injected into the PPD.
- CVE-2024-47177 – cups-filters ≤ 2.0.1 foomatic-rip can execute arbitrary commands via the FoomaticRIPCommandLine PPD parameter.
The consequence of these deficiencies is that they could be interlinked into an exploit chain, permitting a malicious entity to create a fraudulent printing device on a Linux system exposed to the network. Once a print job is sent, this could trigger remote code execution.
“The flaw is rooted in the mishandling of ‘New Printer Available’ notifications by the ‘cups-browsed’ module, compounded by insufficient validation by the CUPS system regarding the data provided by a compromised printing device,” noted network security firm Ontinue.
“This vulnerability emerges from inadequate validation of network inputs, allowing attackers to manipulate the vulnerable system into installing a corrupted printer driver. Upon sending a print job to this driver, malicious code is executed—though only with the privileges of the lp user, not root.”
In an advisory, RHEL confirmed that all versions of the operating system are impacted by these flaws, but emphasized that they do not pose a risk in the default configuration. The vulnerabilities were marked as “Important” in severity, though real-world exploitation likelihood remains minimal.
“By chaining these vulnerabilities, an attacker could, in theory, achieve remote code execution, which might result in the theft of sensitive data or damage to critical production environments,” the advisory highlighted.
Cybersecurity firm Rapid7 further elaborated that vulnerable systems are only exploitable if UDP port 631 is accessible and the vulnerable service is actively listening. This means that exposure could occur either via the public internet or across specific network segments.
Meanwhile, Palo Alto Networks confirmed that none of their products or cloud services include the CUPS software, meaning they are not affected by these vulnerabilities.
Patches are currently under development, with a release expected soon. Until then, it is strongly recommended to disable or remove the cups-browsed service if unnecessary and to block or limit traffic on UDP port 631.
“It appears that the much-feared unauthenticated RCE vulnerabilities in Linux may only impact a limited subset of systems,” commented Benjamin Harris, CEO of WatchTowr, in a statement shared with The Hacker News.
“While the technical impact of these flaws is indeed serious, it is considerably less likely that desktop workstations running CUPS would be exposed to the internet in the same manner, or to the same extent, as Linux server systems.”
Satnam Narang, a senior research engineer at Tenable, offered additional insight, noting that these vulnerabilities do not rise to the level of notorious threats like Log4Shell or Heartbleed.
“The truth is, across both open-source and closed-source software, countless vulnerabilities remain undiscovered or undisclosed. Security research is key to this process, and it’s essential that we continue holding software vendors to higher standards,” said Narang.
“For organizations focusing on these newly exposed flaws, it’s crucial to emphasize that the most dangerous vulnerabilities are the well-known ones. These continue to be exploited by advanced persistent threat groups, often linked to nation-states, as well as ransomware operators who are extorting millions from corporations annually.”
