Critical Vulnerability in CUPS (CVE-2024-47177)
Executive Summary
On September 26th, 2024, an independent researcher disclosed acritical vulnerability in CUPS, a printing software package commonly used in Linux systems. CUPS may be enabled by default on some versions of Linux, meaning a server not intended or used as a printer server may still be vulnerable as a result. Successful exploit of this vulnerability yields remote code execution (RCE) to an attacker, so any externally facing Linux servers vulnerable to this bug present a significant risk to organizations.
This vulnerability consists of four bugs (CVE-2024-47176,CVE-2024-47076, CVE-2024-47175, CVE-2024-47177) that must be exploited together. Successful exploitation can be done remotely and without access credentials. Enough details were provided with the initial disclosure for quick development of weaponized exploits, and public proof of concept (PoC) examples have already been released. Additionally, patches had not been released at the time of writing.
There are mitigating factors that will help reduce the real world impact, the main one being that an exploit requires manual user interaction in the form of tricking a user into printing from a malicious, attacker-controlled, fake printer. There is still risk, and we expect financially motivated threat actors to deploy custom weaponized versions of this exploit immediately. Affected organizations should apply recommended mitigation steps as soon as possible.
Affected Systems / Products
The following CUPS software components and corresponding versions are vulnerable:
- cups-browsed <= 2.0.1
- libcupsfilters <= 2.1b1
- libppd <= 2.1b1
- cups-filters <= 2.0.1
Mitigations / Workarounds
Most Internet facing Linux hosts should not need to have CUPS available publicly, so it should simply be disabled:
sudo systemctl stopcups-browsed
sudo systemctl disablecups-browsed
Organization scan additionally block UDP traffic to port 631, the default port for CUPS.
Patches
Patches were not available at time of writing, but are reported to be in development. This document will be updated when vendor patches are released.
Technical Details
As previously mentioned, the issue is four separate vulnerabilities that need to be exploited together to achieve RCE on a victim host. The attack chain is as follows:
1. An attacker sends a specially crafted packet toa vulnerable server
2. The packet causes the target to connect to a fake, attacker controlled printer
3. The fake printer sends back a malicious configuration file
4. A victim user is tricked into starting a printing job on the target server
5. The malicious configuration file executes arbitrary code
How Beazley Security is Responding
Beazley Security is monitoring client perimeter devices through our Karma product to identify potentially impacted devices and support organizations in remediation of any issues found.
Sources
Aware of an incident impacting your industry? Let us know: