CUPS, or the Common Unix Printing System, is an open-source printing system widely utilized on Unix-like operating systems such as Linux, BSDs, and macOS. CUPS acts as an open-source print server, allowing a computer to become an effective print server while managing print jobs and queues and providing a standardized interface for printing services.
It was recently discovered that CUPS contains a critical vulnerability that allows remote attackers to gain entry and take control of devices remotely. Furthermore, this issue could allow unauthenticated remote code execution, meaning an attacker could gain control without prior authentication of affected systems. Let's take a closer look at this critical flaw that could lead to data theft and hijacking of affected systems. I'll then share measures you should be taking to ensure your systems and your sensitive information are secure.
Understanding This Critical CUPS Flaw
Simone Margaritelli disclosed this vulnerability, which was identified as affecting most Linux distributions, some BSD variants, Google ChromeOS, Oracle's Solaris, and potentially other systems where CUPS is used. The main issue is related to the cups-browsed service.
The vulnerability, tracked as CVE-2024-47076 (libcupsfilters), CVE-2024-47175 (libppd), CVE-2024-47176 (cups-browsed) and CVE-2024-47177 (cups-filters), allows a remote, unauthenticated attacker to exploit CUPS via network access in the following way:
- Access Point: The main entry point is UDP port 631, which CUPS uses for incoming print jobs and administrative tasks.
- Spoofing Mechanism: If direct access to port 631 is unavailable, attackers might use spoofing techniques involving zeroconf, mDNS, or DNS-SD advertisements.
- Command Execution: By exploiting this vulnerability, an attacker can silently replace existing printers' IPP URLs with malicious ones or install new printers. When a print job is queued, the malicious URL triggers arbitrary command execution, granting the attacker control over the system. This can be particularly dangerous when printing services are exposed to the local network or the internet.
What Is the Impact of This Vulnerability?
This vulnerability has an estimated CVSS severity score of 9.9 out of 10, which indicates high impact and low complexity to exploit. Its scope of impact is wide-reaching, potentially impacting hundreds of thousands of devices exposed to the internet, including most Linux distributions, certain BSDs, ChromeOS Solaris systems, and systems using CUPS printers. If successful exploitation occurs, consequences could include anything from unauthorized access and data theft through system takeover to disrupting essential infrastructure services reliant on Linux systems.
Protection Measures for Users & Admins
Does this critical flaw impact your systems? If so, don't stress! To mitigate this security risk, users and administrators should immediately implement the mitigation strategies discussed below.
Disable and Remove cups-browsed:
Disable the cups-browsed
service if it's not needed.
Remove the cups-browsed
package if it's not required.
sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed
sudo apt-get remove --purge cups-browsed
Update CUPS Installation:
Regularly check for updates to CUPS and apply security patches released by your distro(s).
sudo apt-get update
sudo apt-get upgrade cups
Network Configuration:
Block access to UDP port 631 using firewall rules to prevent exposure to the network/internet.
Consider blocking DNS-SD traffic if it's not needed.
sudo ufw deny 631/udp
Monitor for Further Guidance:
Follow security bulletins and advisories from your OS maintainers and CUPS developers to stay updated with new information about this vulnerability and additional protective measures.
Assess Your Risk:
Evaluate how exposed your systems are to this vulnerability. Systems that are firewalling CUPS or do not have cups-browsed installed are likely secure from this issue.
Our Final Thoughts on This Severe CUPS Flaw
These recently disclosed vulnerabilities in CUPS pose a severe security threat to devices running Unix-like operating systems. Admins must take swift action to mitigate this threat by disabling unnecessary services, updating software, and restricting network access. These steps will help protect your systems against remote hijacking attacks, data theft, and other damaging attacks.