Linux Distros Patching Printer Hijacking Flaw
Exploitation Requires Victim to Print On Rogue PrinterAttackers can exploit a series of vulnerabilities in an open-source printing system utility to remotely execute arbitrary code on certain machines.
See Also: 5 Considerations for Effective Multi-Coud Threat Detection
A set of security flaws in the OpenPrinting Common Unix Printing System on Linux systems could allow remote command execution under specific conditions, found security researcher Simone Margaritelli.
CUPS is a widely used printing solution on Linux systems, supported on devices running Unix-like operating systems, including FreeBSD, NetBSD, OpenBSD, and their derivatives. Major Linux distributions reacted Friday by releasing patches.
"A remote unauthenticated attacker can silently replace existing printers' IPP urls with a malicious one, resulting in arbitrary command execution when a print job is started (from that computer)," said Margaritelli.
Analysis by RedHat found that successful exploitation requires a victim to attempt to print from a malicious device. The open source software developer also said all versions of Red Hat Enterprise Linux are affected by the flaws "but are not vulnerable in their default configurations."
A key component of CUPS is the cups-browsed daemon, which scans the local network for shared or advertised printers and makes them accessible. Margaritelli discovered that when the cups-browsed daemon is on, it listens on UDP port 631, permitting remote devices on the network to connect and create new printers.
Margaritelli created malicious PostScript Printer Description file and manually advertised it to an exposed cups-browsed service running. That caused the remote machine to automatically install the rogue printer and make it available for use. If a user on the vulnerable machine prints to this newly installed printer, the malicious code embedded in the PPD file would be executed locally on their computer.
The vulnerabilities are tracked as CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177.
- CVE 2024-47176: The cups-browsed service, which is responsible for printer discovery, listens on UDP port 631 and trusts incoming packets from any source, without proper authentication. This creates an entry point for attackers to inject malicious Internet Printing Protocol requests.
- CVE-2024-47076: The libcupsfilters library, specifically the function cfGetPrinterAttributes5, does not properly validate or sanitize IPP attributes received from an IPP server. This lack of validation allows an attacker to control data that is passed further into the system, making it easier to exploit.
- CVE-2024-47175: The libppd library’s function ppdCreatePPDFromIPP2 does not sanitize IPP attributes when writing to a temporary PostScript Printer Description file, allowing an attacker to inject arbitrary data.
- CVE-2024-47177: The foomatic-rip filter in cups-filters allows an attacker to execute arbitrary commands by manipulating the FoomaticRIPCommandLine PPD parameter.
Satnam Narang, senior staff research engineer at Tenable said that the assigned CVSS scores for the CUPS printing system flaws, including the one that received a 9.9 CVSS score will be revised.
"From what we've gathered, these flaws are not at a level of a Log4Shell or Heartbleed. The reality is that across a variety of software, be it open or closed source, there are a countless number of vulnerabilities that have yet to be discovered and disclosed. Security research is vital to this process and we can and should demand better of software vendors," Narang said.
Users are advised to disable or remove the cups-browsed service and update the CUPS package to the latest version if possible. Blocking UDP port 631 or using additional firewall rules to prevent unsolicited network traffic is also recommended.