REDLEGG BLOG

Emergency Security Bulletin - Multiple Linux CUPS Vulnerabilities

9/30/24 4:08 PM  |  by RedLegg's Cyber Threat Intelligence Team

About:

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.


VULNERABILITIES

Linux CUPS Remote Code Execution Vulnerability

Identifier: CVE-2024-47076  
CVSS Score: 9.9 (Critical)  
Update Guide: Visit your Linux distribution's security advisory page, such as Red Hat Security, at https://access.redhat.com/ for information on patching.

Description: CVE-2024-47076 is a critical vulnerability found within CUPS (Common Unix Printing System), affecting the libcupsfilters library. This vulnerability exists in the `cfGetPrinterAttributes5` function of libcupsfilters, which is responsible for handling IPP (Internet Printing Protocol) requests. The flaw arises due to improper validation or sanitization of IPP attributes from an IPP server, allowing an attacker to inject malicious data into the printing system. This can lead to remote code execution (RCE) on the target machine, providing full control to the attacker.

An unauthenticated remote attacker can exploit this vulnerability by sending crafted IPP packets over UDP port 631. This attack vector is particularly concerning for systems where `cups-browsed` is exposed to the public internet or within a local network, significantly broadening the potential attack surface.

Impact and Exploitation:
Successful exploitation can lead to remote code execution on affected systems, allowing an attacker to perform arbitrary operations, potentially compromising the entire system. Due to its critical nature, immediate remediation is required for all systems running vulnerable versions of libcupsfilters.

Affected Versions:  

  • libcupsfilters: All versions up to 2.1b1 are impacted. Affected systems include a range of Unix-like operating systems, such as Linux distributions like Red Hat, Ubuntu, and other systems that rely on CUPS.

Mitigation and Patching Instructions:

  1. Check for Active CUPS Services
  2. Apply Security Patches:  

   Linux distributions have released security patches to address this vulnerability. Visit your specific distribution's security advisory platform, such as Red Hat at https://access.redhat.com/, to download and install the latest security updates for CUPS and libcupsfilters.

  1. Disable cups-browsedIf Not Required:  

   If printing services are not necessary or you are awaiting patches, consider stopping and disabling the cups-browsed service:

  1. Network Hardening:  

   To prevent exploitation over the network, apply firewall rules to block access to UDP port 631. Restrict or disable mDNS/DNS-SD services to limit exposure to malicious IPP requests.

  1. Verification of Update Deployment:  

   After applying patches, ensure the system is running the latest, secure version of libcupsfilters. Continuously monitor system behavior and conduct security scans to detect any signs of potential exploitation.

For More Information: Visit the National Vulnerability Database at https://nvd.nist.gov/vuln/detail/CVE-2024-47076 for more technical details and guidance on mitigating this vulnerability. Immediate action is recommended to prevent unauthorized access and control over systems using CUPS.


Linux CUPS Remote Code Execution Vulnerability

Identifier: CVE-2024-47175
CVSS Score: 9.3 (High)
Update Guide: To download the latest security patches and updates, please visit the support portal of your Linux distribution, such as Red Hat Security at https://access.redhat.com/.

Description: CVE-2024-47175 is a critical vulnerability in CUPS (Common Unix Printing System), specifically affecting the libppd library. This vulnerability arises from inadequate validation and sanitization in the ppdCreatePPDFromIPP2 function, which processes IPP (Internet Printing Protocol) attributes. An attacker can exploit this vulnerability by sending specially crafted IPP requests that inject malicious data into PPD (PostScript Printer Description) files. This can lead to remote code execution (RCE) when a print job is started.

The vulnerability allows remote attackers to take control of printers connected to the CUPS system by replacing printer URLs with those under their control. When a print job is initiated, the system executes the injected malicious code. The flaw is particularly risky when the CUPS cups-browsed service is exposed on UDP port 631.

Impact and Exploitation:
A successful exploitation of CVE-2024-47175 can result in the attacker gaining remote code execution capabilities on the system, leading to a complete compromise. This vulnerability is especially concerning if the CUPS service is accessible via port 631 over the internet or within a local network.

Affected Versions:
All versions of libppd up to 2.1b1 are affected. Systems running the cups-browsed service with these versions are at significant risk.

Mitigation and Patching Instructions:

Check for Running Services:
Verify if cups-browsed is active on your system:

Apply Patches Immediately:
Security updates have been released by major Linux distributions to address this vulnerability. Visit your distribution's support portal, such as the Red Hat Security Portal at https://access.redhat.com/, to download and install the necessary patches.

Disable CUPS Services if Not Needed:
If your system does not require CUPS for printing services or if patches are not immediately available, consider disabling cups-browsed:

Network Hardening: 
Implement firewall rules to restrict access to UDP port 631 to prevent potential exploitation from remote sources. Additionally, consider disabling or restricting mDNS/DNS-SD services to limit exposure.

Verify Update Deployment:
After applying patches, ensure that the libppd package has been updated to a secure version. Conduct regular testing and monitoring to detect any unusual activity or potential exploitation attempts.

For More Information: For detailed technical information on CVE-2024-47175, refer to the National Vulnerability Database at https://nvd.nist.gov/vuln/detail/CVE-2024-47175. It is recommended to patch this vulnerability promptly to protect systems from potential remote attacks.


Linux CUPS Remote Code Execution Vulnerability

Identifier: CVE-2024-47176
CVSS Score: 8.3 (High)
Update Guide: Visit your Linux distribution's support platform, such as Red Hat Security, at https://access.redhat.com/ for patches and updates.

Description: CVE-2024-47176 is a high-severity vulnerability within the CUPS (Common Unix Printing System), impacting the cups-browsed service. This service handles printing on various Unix-like operating systems, including Linux. The vulnerability arises due to insecure handling of Get-Printer-Attributes IPP (Internet Printing Protocol) requests on UDP port 631, which can lead to remote code execution (RCE). The flaw allows an attacker to send specially crafted packets, replacing printer URLs with malicious ones, and potentially executing arbitrary commands when a print job is initiated.

This vulnerability can be exploited over the public internet or local network, making systems with CUPS particularly exposed if they are publicly accessible on UDP port 631. Attackers can spoof or send malicious network packets, taking control of the cups-browsed service without requiring authentication.

Impact and Exploitation: 
If exploited successfully, the vulnerability allows a remote attacker to execute arbitrary code, leading to a potential full compromise of the affected systems. A large number of Linux-based servers, desktops, and embedded devices running vulnerable versions of cups-browsed are at risk.

Affected Versions:

  • cups-browsed: All versions up to 2.0.1 are affected. These versions are prevalent across a variety of Unix-based systems, including major Linux distributions like Ubuntu, Red Hat, and others.

Mitigation and Patching Instructions:

  1. Check for Active CUPS Services
  2. Apply Security Patches:  

Patches are available to address this vulnerability. Users should visit their distribution's support portal, such as the Red Hat Security Portal at https://access.redhat.com/, to obtain the necessary updates.

  1.  Disable cups-browsed if Not Needed: 

If printing services are not required or to mitigate risk before patching, disable the cups-browsed service

  1. Network Security Measures: 

Block or restrict access to UDP port 631 through firewall rules to prevent unauthorized connections. Consider restricting or disabling mDNS/DNS-SD services to reduce exposure to local network attacks.

  1.  Verification and Testing:  

Once patches are applied, verify that the system is running the updated cups-browsed package. Perform regular security audits to check for any signs of potential exploitation or unusual activity.

For More Information: For further details about this vulnerability, refer to the National Vulnerability Database at https://nvd.nist.gov/vuln/detail/CVE-2024-47176. Immediate action is recommended to protect against potential attacks targeting this vulnerability.


Linux CUPS Remote Code Execution Vulnerability

Identifier: CVE-2024-47177
CVSS Score: 9.8 (Critical)
Update Guide: Visit your Linux distribution's security advisory platform, such as Red Hat Security, at https://access.redhat.com/ to download patches and updates.

Description: CVE-2024-47177 is a critical vulnerability in the CUPS (Common Unix Printing System), specifically affecting the cups-filters package. This flaw is related to the foomatic-rip filter, which is vulnerable due to improper handling of the FoomaticRIPCommandLine parameter within PPD (PostScript Printer Description) files. An attacker can exploit this vulnerability to inject and execute arbitrary commands on a target system without requiring authentication. When a print job is initiated, this can lead to remote code execution (RCE), posing a significant security risk.

Attackers can exploit this vulnerability by sending specially crafted network packets to the cups-browsed service on UDP port 631. If the service connects to a malicious IPP (Internet Printing Protocol) server, the injected attributes can execute as code when a print job is processed.

Impact and Exploitation:
Exploiting this vulnerability allows remote code execution, which could lead to full control over the system. This exposure is especially critical on systems where the CUPS service is accessible on port 631 from the public internet or within a local network.

Affected Versions:
All versions of cups-filters up to 2.0.1 are impacted. Systems running the cups-browsed service with these versions are at risk.

Mitigation and Patching Instructions:

Check for Running cups-browsed Services:

Apply the Patches Immediately:
Security patches have been released by Linux distributions to address this vulnerability. Visit the appropriate support page for your system, such as the Red Hat Security Portal at https://access.redhat.com/, to download and install the required patch.

Disable CUPS-browsed Service:
If the print services are not needed or while awaiting a patch, consider stopping and disabling the cups-browsed service to mitigate exposure:

Network Access Restrictions:
To prevent exposure, use firewall rules to block incoming traffic on UDP port 631. This limits the risk of external attacks. Additionally, restrict or disable mDNS/DNS-SD services as a further precaution.

Verification and Security Testing:
After applying the updates, confirm that the cups-filters package is updated to a secure version. Conduct regular security scans to detect any potential vulnerabilities or exploitation attempts.

For More Information: To learn more about the vulnerability and its technical details, visit the National Vulnerability Database entry at https://nvd.nist.gov/vuln/detail/CVE-2024-47177. Immediate action is recommended to prevent exploitation of this critical vulnerability.

Get Blog Updates

Related Articles

Emergency Security Bulletin - Multiple Cisco Vulnerabilities Bulletin, Vulnerability Bulletins

Emergency Security Bulletin - Multiple Cisco Vulnerabilities

About: RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide ...
Emergency Security Bulletin - NVIDIA Container Toolkit Remote Code Execution Vulnerability Bulletin, Vulnerability Bulletins

Emergency Security Bulletin - NVIDIA Container Toolkit Remote Code Execution Vulnerability

About: RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide ...
Critical Security Vulnerabilities Bulletin