A brand new set of safety vulnerabilities has been disclosed within the OpenPrinting Frequent Unix Printing System (CUPS) on Linux programs that might allow distant command execution underneath sure circumstances.
“A remote unauthenticated attacker can silently replace existing printers’ (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer),” safety researcher Simone Margaritelli stated.
CUPS is a standards-based, open-source printing system for Linux and different Unix-like working programs, together with ArchLinux, Debian, Fedora, Crimson Hat Enterprise Linux (RHEL), ChromeOS, FreeBSD, NetBSD, OpenBSD, openSUSE, and SUSE Linux.
The listing of vulnerabilities is as follows –
- CVE-2024-47176 – cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any supply to set off a Get-Printer-Attributes IPP request to an attacker-controlled URL
- CVE-2024-47076 – libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 doesn’t validate or sanitize the IPP attributes returned from an IPP server, offering attacker-controlled knowledge to the remainder of the CUPS system
- CVE-2024-47175 – libppd <= 2.1b1 ppdCreatePPDFromIPP2 doesn’t validate or sanitize the IPP attributes when writing them to a brief PPD file, permitting the injection of attacker-controlled knowledge within the ensuing PPD
- CVE-2024-47177 – cups-filters <= 2.0.1 foomatic-rip permits arbitrary command execution by way of the FoomaticRIPCommandLine PPD parameter
A internet consequence of those shortcomings is that they could possibly be usual into an exploit chain that permits an attacker to create a malicious, pretend printing gadget on a network-exposed Linux system working CUPS and set off distant code execution upon sending a print job.
“The issue arises due to improper handling of ‘New Printer Available’ announcements in the ‘cups-browsed’ component, combined with poor validation by ‘cups’ of the information provided by a malicious printing resource,” community safety firm Ontinue stated.
“The vulnerability stems from inadequate validation of network data, allowing attackers to get the vulnerable system to install a malicious printer driver, and then send a print job to that driver triggering execution of the malicious code. The malicious code is executed with the privileges of the lp user – not the superuser ‘root.'”
RHEL, in an advisory, stated all variations of the working system are affected by the 4 flaws, however famous that they don’t seem to be susceptible of their default configuration. It tagged the problems as Essential in severity, on condition that the real-world impression is more likely to be low.
“By chaining this group of vulnerabilities together, an attacker could potentially achieve remote code execution which could then lead to theft of sensitive data and/or damage to critical production systems,” it stated.
Cybersecurity agency Rapid7 identified that affected programs are exploitable, both from the general public web or throughout community segments, provided that UDP port 631 is accessible and the susceptible service is listening.
Palo Alto Networks has disclosed that none of its merchandise and cloud providers include the aforementioned CUPS-related software program packages, and subsequently are usually not impacted by the issues.
Patches for the vulnerabilities are at the moment being developed and are anticipated to be launched within the coming days. Till then, it is advisable to disable and take away the cups-browsed service if it is not crucial, and block or limit site visitors to UDP port 631.
“It looks like the embargoed Linux unauth RCE vulnerabilities that have been touted as doomsday for Linux systems, may only affect a subset of systems,” Benjamin Harris, CEO of WatchTowr, stated in an announcement shared with The Hacker Information.
“Given this, while the vulnerabilities in terms of technical impact are serious, it is significantly less likely that desktop machines/workstations running CUPS are exposed to the Internet in the same manner or numbers that typical server editions of Linux would be.”
Satnam Narang, senior employees analysis engineer at Tenable, stated these vulnerabilities are usually not at a degree of a Log4Shell or Heartbleed.
“The reality is that across a variety of software, be it open or closed source, there are a countless number of vulnerabilities that have yet to be discovered and disclosed,” Narang stated. “Security research is vital to this process and we can and should demand better of software vendors.”
“For organizations that are honing in on these latest vulnerabilities, it’s important to highlight that the flaws that are most impactful and concerning are the known vulnerabilities that continue to be exploited by advanced persistent threat groups with ties to nation states, as well as ransomware affiliates that are pilfering corporations for millions of dollars each year.”
