Several critical Linux vulnerabilities have been declared, involving a bug in CUPS, the Common UNIX Printing System. All versions of Red Hat Enterprise Linux (RHEL) are among the Linux distributions affected, but not in default configuration. 

There are four vulnerabilities that have been identified and allocated the following CVEs – CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177. It is anticipated that additional CVEs will follow. 

The CVEs were originally reported by Simone Margaritelli, a well-known computer security researcher and creator of numerous tools used in cyber security. He first posted about the CVEs on X on September 23, claiming they have a CVSS score of 9.9/10 and later detailed the CVEs on September 26.

Impact:

Margaritelli claimed that three weeks ago he discovered a Remote Code Execution (RCE) unauthenticated vulnerability that affects all GNU/Linux systems. 

The four CVEs are within OpenPrinting CUPS, an open source printing system that is prevalent in most modern Linux distributions and provides tools to manage, discover and share printers for Linux distributions. By chaining these four vulnerabilities together, an attacker could potentially achieve remote code execution, allowing them to steal sensitive data or damage critical production systems.

Red Hat has commented, saying that for Red Hat Enterprise Linux (RHEL) this can be executed by the following events:

  1. The cups-browsed service has manually been enabled or started
  2. An attacker has access to a vulnerable server, which
    a) Allows unrestricted access, such as the public internet, or
    b) Gains access to an internal network where local connections are trusted.
  3. Attacker advertises a malicious IPP server, thereby provisioning a malicious printer
  4. A potential victim attempts to print from the malicious device
  5. Attacker executes arbitrary code on victim’s machine

Upwind researchers would like to note that even without unrestricted access as listed in step 2 of the Red Hat scenario, if UDP Port 631 is exposed, the attack can be carried out. 

Affected Versions:

  • CVE-2024-47176
    • Package-name – cups-browsed
    • version <= 2.0.1
    • Description: Binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker controlled URL.
  • CVE-2024-47076
    • Package-name – libcupsfilters
    • version <= 2.1b1
    • Description: cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker controlled data to the rest of the CUPS system.
  • CVE-2024-47175
    • Package-name – libppd
    • version <= 2.1b1
    • Description: ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker controlled data in the resulting PPD.
  • CVE-2024-47177
    • Package-name – cups-filters
    • version <= 2.0.1
    • Description: foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter.

This file collected by Margaritelli contains a list of all the affected Linux versions.

How to Mitigate the CUPS Vulnerability

If your system is affected by the CUPS vulnerability, follow these steps to completely remove and mitigate the associated risks:

1. Stop and Disable the CUPS Service:

The first step is to stop the CUPS service and disable it to prevent it from restarting.

sudo systemctl stop cups
sudo systemctl disable cups

Copied

2. Stop and Disable the cups-browsed Service:

Next, stop and disable the cups-browsed service, which is commonly used for network printer discovery.

sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed

Copied

3. Remove CUPS Packages:

Uninstall CUPS and any related packages using your system’s package manager. The command varies depending on your Linux distribution:
For Debian/Ubuntu-based systems:

sudo apt-get purge --auto-remove cups cups-browsed

Copied

For RHEL/CentOS/Fedora-based systems:

sudo yum remove cups cups-browsed

Copied

For Arch-based systems:

sudo pacman -Rns cups cups-browsed

Copied

4. Remove CUPS Configuration Files:

Even after removing CUPS, configuration files may remain. These should be manually deleted:

sudo rm -rf /etc/cups

Copied

5. Remove User Data:

If you’ve set up printers or other user-specific configurations, remove the associated user data:

sudo rm -rf /var/spool/cups
sudo rm -rf /var/cache/cups

Copied

6. Clean Up Residual Dependencies:

After uninstalling CUPS, there may be leftover packages and dependencies. You can clean these up using the appropriate package manager command:

For Debian/Ubuntu-based systems:

sudo apt-get autoremove

Copied

For RHEL/CentOS/Fedora-based systems:

sudo yum autoremove

Copied

7. Block Traffic to UDP Port 631 and DNS-SD:

CUPS relies on UDP port 631 for the Internet Printing Protocol (IPP) and DNS-SD (mDNS) for printer discovery. To further protect your system, block traffic to these ports using iptables or ufw.
Using iptables:

Block all traffic to UDP port 631:

sudo iptables -A INPUT -p udp --dport 631 -j DROP

Copied

Optionally, block DNS-SD traffic (used by CUPS for service discovery, mDNS on port 5353):

sudo iptables -A INPUT -p udp --dport 5353 -j DROP

Copied

Using ufw (Uncomplicated Firewall):

sudo ufw deny 631/udp
sudo ufw deny 5353/udp

Copied

Conclusion

By following these steps, you will completely remove CUPS and its related components from your system, ensuring protection from the vulnerability. Don’t forget to update your system regularly and monitor any services that could pose a security risk. For additional assistance from the Upwind team, contact us at [email protected].