Critical CUPS Flaw: Linux Systems at Risk of Remote Takeover

A critical vulnerability in the Unix printing system CUPS was recently uncovered, affecting numerous Linux systems worldwide. This flaw could potentially allow an attacker to take control of a computer over the network or internet by initiating a print job. The situation is exacerbated by the fact that patches to resolve the issue are not yet available.

The security researcher Simone Margaritelli, who discovered and reported these vulnerabilities, has published a detailed analysis. The vulnerabilities affect most Linux distributions, some versions of BSD, and possibly ChromeOS and Solaris. The critical threat stems from the cups-browsed component, which can be exploited by attackers to compromise a system upon the initiation of a print job.

For a successful exploit, the attacker needs access to the CUPS service on port 631 and must wait for a print job to be initiated on a vulnerable system. In cases where this port is unavailable, attackers could substitute zeroconf, mDNS, or DNS-SD to launch their attack.

Margaritelli identified four vulnerabilities in total:

• CVE-2024-47176 (cups-browsed): Unrestricted access to UDP port 631.
• CVE-2024-47076 (libcupsfilters): Lack of attribute validation when handling IPP requests.
• CVE-2024-47175 (libppd): Absence of attribute validation when writing to PPD files.
• CVE-2024-47177 (cups-filters): Command execution capability from PPD file data.

By chaining these vulnerabilities, an attacker could send a packet to port 631, compel the vulnerable system to communicate with the attacker’s server, transmit malicious data, and upon initiating a print job, execute harmful commands.

While the threat appears severe, its exploitation requires user interaction, specifically initiating a print job. According to Margaritelli, the vulnerability likely does not warrant the previously speculated CVSS score of 9.9 out of 10, yet it still presents a significant risk.

Benjamin Harris, founder of watchTowr, believes these security flaws impact only a small percentage of Linux computers accessible via the internet. Nonetheless, he advises organizations to inspect their systems to prevent potential cybersecurity incidents.

Margaritelli suggests the following steps for protection:

• Disable or remove the cups-browsed service;
• Block access to UDP port 631 and DNS-SD;
• Update CUPS when patches are released.

Notably, Margaritelli encountered several difficulties in reporting the vulnerability to CUPS. Despite the gravity of the issue, which was confirmed by companies such as Canonical and Red Hat, the CUPS developers were reluctant to acknowledge the reported flaws.

According to Margaritelli, instead of promptly addressing the vulnerabilities, they chose to argue about whether some of them posed security risks, showing a dismissive attitude toward the researcher’s findings. He views this as an example of how not to handle vulnerability disclosure and stresses the heightened responsibility of developers maintaining software that has been in use for over 20 years on countless devices globally.

Until the necessary patches are released, it is strongly recommended to follow the proposed measures to mitigate risks.