This Threatfeed is the first in a series exploring vulnerabilities in Unix systems, specifically targeting GNU/Linux systems through the Common Unix Printing System (CUPS). As noted by a contributor to the CUPS project:
> _"From a generic security point of view, a whole Linux system as it is nowadays is just an endless and hopeless mess of security holes waiting to be exploited."_
This statement underscores the critical need to examine and address these vulnerabilities to enhance system security.
Summary
Several vulnerabilities have been identified in CUPS and its associated components, which, when combined, allow for remote code execution (RCE) on affected systems:
- CVE-2024-47176: `cups-browsed` versions ≤ 2.0.1 bind to UDP `INADDR_ANY:631`, accepting packets from any source, which can trigger a `Get-Printer-Attributes` IPP request to an attacker-controlled URL.
- CVE-2024-47076: `libcupsfilters` versions ≤ 2.1b1 have a vulnerability where `cfGetPrinterAttributes()` does not validate or sanitize IPP attributes returned from an IPP server, allowing attacker-controlled data into the CUPS system.
- CVE-2024-47175: `libppd` versions ≤ 2.1b1's `ppdCreatePPDFromIPP2()` function fails to validate or sanitize IPP attributes when writing them to a temporary PPD file, enabling injection of attacker-controlled data.
- CVE-2024-47177: `cups-filters` versions ≤ 2.0.1 include `foomatic-rip`, which allows arbitrary command execution via the `FoomaticRIPCommandLine` PPD parameter.
Impact
A remote, unauthenticated attacker can silently replace existing printers or install new ones by manipulating IPP URLs with malicious ones. This manipulation can lead to arbitrary command execution on the target system when a print job is initiated.
Attack Vectors
Public Internet (WAN)
- An attacker sends a crafted UDP packet to port 631 on the target system.
- No authentication is required.
- This vector affects systems directly connected to the internet with port 631 exposed.
Local Network (LAN)
- An attacker can spoof Zeroconf, mDNS, or DNS-SD advertisements to achieve the same result.
- This method will be elaborated in subsequent write-ups focusing on macOS.
Affected Systems
The vulnerabilities affect a wide range of Unix-like systems where CUPS and `cups-browsed` are installed:
- Most GNU/Linux distributions
- Some BSD variants
- Oracle Solaris
- Potentially Google ChromeOS
- Other Unix-like operating systems
Note: The presence and default status of `cups-browsed` may vary across distributions.
Technical Details
Vulnerability in `cups-browsed` (CVE-2024-47176)
- Issue: `cups-browsed` listens on UDP port 631 on all network interfaces (`0.0.0.0`), accepting packets from any source.
- Risk: An attacker can send a specially crafted packet to trigger a `Get-Printer-Attributes` IPP request to an attacker-controlled URL.
- Cause: Lack of source IP address validation due to default configuration allowing all connections.
Lack of Input Validation in `libcupsfilters` (CVE-2024-47076)
- Issue: The function `cfGetPrinterAttributes5()` does not validate or sanitize IPP attributes received from a server.
- Risk: Attacker-controlled data can be injected into the CUPS system, potentially leading to malicious activities.
- Cause: Insufficient validation of IPP attributes returned from remote servers.
Improper Handling in `libppd` (CVE-2024-47175)
- Issue: The function `ppdCreatePPDFromIPP2()` fails to validate or sanitize IPP attributes when writing to a temporary PPD file.
- Risk: Allows injection of malicious directives into PPD files, which can be executed by the system.
- Cause: Lack of proper input sanitization when generating PPD files from IPP attributes.
Arbitrary Command Execution via `foomatic-rip` (CVE-2024-47177)
- Issue: The `foomatic-rip` filter allows execution of arbitrary commands through the `FoomaticRIPCommandLine` parameter in PPD files.
- Risk: An attacker can execute commands with the privileges of the CUPS system, potentially leading to full system compromise.
- Cause: Historical reliance on `foomatic-rip` for printer compatibility, with challenges in restricting its capabilities without breaking functionality.
Exploitation Overview
By chaining the identified vulnerabilities, an attacker can:
- Trigger a Malicious IPP Request:
- Send a crafted UDP packet to UDP port 631, causing `cups-browsed` to initiate a connection to an attacker-controlled IPP server.
- Inject Malicious IPP Attributes:
- The attacker's IPP server responds with malicious attributes that are not validated by `libcupsfilters` or `libppd`.
- Create Malicious PPD File:
- The system generates a PPD file containing injected directives, including potentially harmful commands.
- Execute Arbitrary Commands:
- When a user initiates a print job, the CUPS system processes the PPD file, executing the injected commands via `foomatic-rip`.
Note: User interaction is required (i.e., starting a print job) for the final execution step.
Remediation
Immediate Actions
- Disable `cups-browsed`:
- If not required, stop and disable the `cups-browsed` service:
sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed
- Update CUPS Packages:
- Apply security updates from your distribution's repositories as they become available.
- Network-Level Mitigation:
- Block incoming traffic on UDP port 631 at the firewall level.
- Consider restricting or disabling Zeroconf, mDNS, and DNS-SD services if not in use.
Long-Term Recommendations
- Audit Installed Packages:
- Remove unnecessary printing services and related packages if printing functionality is not required.
- Implement Access Controls:
- Configure `cups-browsed` to restrict allowed sources by editing `/etc/cups/cups-browsed.conf`.
- Monitor for Updates:
- Stay informed about security advisories related to CUPS and associated libraries.
The vulnerabilities in CUPS and its associated components present a significant security risk to Unix-like systems. Exploitation can lead to remote code execution with minimal attacker effort and no initial authentication. It is crucial for system administrators and users to take immediate action to mitigate these risks.
Additional Considerations
Responsible Disclosure Challenges
The process of responsibly disclosing these vulnerabilities highlighted challenges in communication and prioritization between security researchers and software maintainers. Efficient collaboration is essential to address security issues promptly and effectively.
Legacy Components
The continued use of legacy components like `foomatic-rip` poses security challenges due to their inherent vulnerabilities and the difficulty in restricting their capabilities without impacting functionality.
Future Research
Further analysis is being conducted on related vulnerabilities, including potential exploitation on other operating systems such as macOS. Subsequent write-ups will provide additional details.
References
- CUPS Official Documentation: cups.org
- Internet Printing Protocol (IPP) Specifications: IETF RFCs
- CVE Details:
- CVE-2024-47176
- CVE-2024-47076
- CVE-2024-47175
- CVE-2024-47177