Alert essentials:
Publicly uncovered vulnerabilities in the Linux Common Unix Printing System (CUPS) allow hackers to compromise networks by installing fake printers.
Address vulnerable internet-facing devices as soon as possible.
Detailed threat description:
The Common Unix Printing System (CUPS) utilized by Nix systems acts as an open-source print server. It contains four vulnerabilities that allow remote threat actors to take control of devices.
The attack chain exploits flaws in how CUPS processes incoming print requests. When an attacker sends a malformed request to the CUPS server, the server may mishandle the data, leading to a buffer overflow or other memory-related issues. Attackers can inject and execute malicious code, effectively taking control of the affected system. The attacker can also perform distributed denial of service (DDoS) abuses that will exhaust the application’s resources and potentially render the host inaccessible.
CUPS, specifically cups-browsed, is generally installed on desktop computers and servers configured as print servers. It is also a component of ChromeOS and macOS.
For a system to be exploitable through this attack chain, all the following conditions must be true:
- Version 2.0.1 or lower of the cups-browsed package must be installed
- Cups-browsed service must be running and listening on UDP port 631
- Configuration file /etc/cups/cups-browsed.conf must contain the statement BrowseRemoteProtocols (which is the default configuration)
By exploiting these vulnerabilities, an attacker can silently replace existing printers’ IPP URLs with malicious ones or install new printers. When a print job is queued, the malicious URL triggers arbitrary command execution, granting the attacker control over the system.
When printing services are exposed to the local network or the internet, it can be hazardous. A public disclosure has been leaked and is available on GitHub.
The default configuration of the service in RHEL is vulnerable. However, this service is installed in a disabled state. The `cups-browsed` daemon must be manually enabled to expose a targeted system’s UDP ports on a network. Systems that are firewalling CUPS or do not have cups-browsed installed are likely secure from this issue.
Patches are under development. Admins should take action to mitigate these threats by turning off unnecessary services, updating software, and restricting network access. These steps will help protect your systems against remote hijacking attacks, data theft, and other damaging attacks.
Impacts on healthcare organizations:
If successful exploitation occurs, consequences could include anything from unauthorized access and data theft through system takeover to disrupting essential infrastructure services reliant on Linux systems.
Affected products / versions:
Most GNU/Linux distributions, some BSD systems, Google Chromium/ChromeOS, and potentially Oracle Solaris are impacted.
CVEs
CVE-2024-47176: affects cups-browsed ≤ 2.0.1
CVE-2024-47076: affects libcupsfilters ≤ 2.1b1
CVE-2024-47175: affects libppd ≤ 2.1b1
CVE-2024-47177: affects cups-filters ≤ 2.0.1
Recommendations
Engineering recommendations:
- Identify CUPS in the environment by checking for service and process names
- Verify which devices are exposed to the internet
- Block the port used by CUPS, UDP port 631
- Disable and remove the cups-browsed service if it is not deemed a critical component
- If it is deemed to be a critical component, update the CUPS package on your systems
- Configure the CUPS service so that it doesn’t start on reboot
- If it is impossible to update the CUPS package on your systems and it is deemed a critical component, block all traffic to UDP port 631 and possibly all DNS-SD traffic if it isn’t needed
Leadership/ Program recommendations:
- Implement a DMZ; servers open to the internet are inherently at higher risk; therefore, they shouldn’t have complete access to the rest of the network
- Implementing a perimeter DMZ for those servers ensures that the servers can’t access the more sensitive parts of the network, making any attacker’s efforts much harder
- Segment application servers: it’s usually possible to segment similar application servers together, and it might be easy to restrict their inbound and outbound traffic based on their application logic
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- CUPS advisory: https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8
- CUPS.org: https://www.cups.org/
- POC: https://github.com/RickdeJager/cupshax/tree/main
- https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/
- RHEL: https://access.redhat.com/security/vulnerabilities/RHSB-2024-002