Several critical Linux vulnerabilities have been declared, involving a bug in CUPS
, the Common UNIX Printing System. All versions of Red Hat Enterprise Linux (RHEL) are among the Linux distributions affected, but not in default configuration.
There are four vulnerabilities that have been identified and allocated the following CVEs – CVE-2024-47076
, CVE-2024-47175
, CVE-2024-47176
and CVE-2024-47177
. It is anticipated that additional CVEs will follow.
The CVEs were originally reported by Simone Margaritelli, a well-known computer security researcher and creator of numerous tools used in cyber security. He first posted about the CVEs on X on September 23, claiming they have a CVSS score of 9.9/10
and later detailed the CVEs on September 26.
Impact:
Margaritelli claimed that three weeks ago he discovered a Remote Code Execution (RCE) unauthenticated vulnerability that affects all GNU/Linux systems.
The four CVEs are within OpenPrinting CUPS
, an open source printing system that is prevalent in most modern Linux distributions and provides tools to manage, discover and share printers for Linux distributions. By chaining these four vulnerabilities together, an attacker could potentially achieve remote code execution, allowing them to steal sensitive data or damage critical production systems.
Red Hat has commented, saying that for Red Hat Enterprise Linux (RHEL) this can be executed by the following events:
- The cups-browsed service has manually been enabled or started
- An attacker has access to a vulnerable server, which
a) Allows unrestricted access, such as the public internet, or
b) Gains access to an internal network where local connections are trusted. - Attacker advertises a malicious IPP server, thereby provisioning a malicious printer
- A potential victim attempts to print from the malicious device
- Attacker executes arbitrary code on victim’s machine
Upwind researchers would like to note that even without unrestricted access as listed in step 2 of the Red Hat scenario, if UDP Port 631 is exposed, the attack can be carried out.
Affected Versions:
CVE-2024-47176
- Package-name –
cups-browsed
- version <= 2.0.1
- Description: Binds on
UDP INADDR_ANY:631
trusting any packet from any source to trigger aGet-Printer-Attributes
IPP request to an attacker controlled URL.
- Package-name –
CVE-2024-47076
- Package-name –
libcupsfilters
- version <= 2.1b1
- Description:
cfGetPrinterAttributes5
does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker controlled data to the rest of theCUPS
system.
- Package-name –
CVE-2024-47175
- Package-name –
libppd
- version <= 2.1b1
- Description:
ppdCreatePPDFromIPP2
does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker controlled data in the resulting PPD.
- Package-name –
CVE-2024-47177
- Package-name –
cups-filters
- version <= 2.0.1
- Description:
foomatic-rip
allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter.
- Package-name –
This file collected by Margaritelli contains a list of all the affected Linux versions.
How to Mitigate the CUPS Vulnerability
If your system is affected by the CUPS
vulnerability, follow these steps to completely remove and mitigate the associated risks:
1. Stop and Disable the CUPS
Service:
The first step is to stop the CUPS
service and disable it to prevent it from restarting.
sudo systemctl stop cups
sudo systemctl disable cups
Copied
2. Stop and Disable the cups-browsed
Service:
Next, stop and disable the cups-browsed
service, which is commonly used for network printer discovery.
sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed
Copied
3. Remove CUPS
Packages:
Uninstall CUPS
and any related packages using your system’s package manager. The command varies depending on your Linux distribution:
For Debian/Ubuntu-based systems:
sudo apt-get purge --auto-remove cups cups-browsed
Copied
For RHEL/CentOS/Fedora-based systems:
sudo yum remove cups cups-browsed
Copied
For Arch-based systems:
sudo pacman -Rns cups cups-browsed
Copied
4. Remove CUPS
Configuration Files:
Even after removing CUPS
, configuration files may remain. These should be manually deleted:
sudo rm -rf /etc/cups
Copied
5. Remove User Data:
If you’ve set up printers or other user-specific configurations, remove the associated user data:
sudo rm -rf /var/spool/cups
sudo rm -rf /var/cache/cups
Copied
6. Clean Up Residual Dependencies:
After uninstalling CUPS
, there may be leftover packages and dependencies. You can clean these up using the appropriate package manager command:
For Debian/Ubuntu-based systems:
sudo apt-get autoremove
Copied
For RHEL/CentOS/Fedora-based systems:
sudo yum autoremove
Copied
7. Block Traffic to UDP Port 631 and DNS-SD:
CUPS
relies on UDP port 631 for the Internet Printing Protocol (IPP) and DNS-SD (mDNS) for printer discovery. To further protect your system, block traffic to these ports using iptables
or ufw
.
Using iptables
:
Block all traffic to UDP port 631:
sudo iptables -A INPUT -p udp --dport 631 -j DROP
Copied
Optionally, block DNS-SD traffic (used by CUPS
for service discovery, mDNS on port 5353):
sudo iptables -A INPUT -p udp --dport 5353 -j DROP
Copied
Using ufw
(Uncomplicated Firewall):
sudo ufw deny 631/udp
sudo ufw deny 5353/udp
Copied
Conclusion
By following these steps, you will completely remove CUPS
and its related components from your system, ensuring protection from the vulnerability. Don’t forget to update your system regularly and monitor any services that could pose a security risk. For additional assistance from the Upwind team, contact us at [email protected].