TLP: CLEAR
CanSSOC Threat Assessment ^[*]: SEVERE

1. Summary
2. Details
3. Recommendations
4. References
5. Support

On September 26th, a set of vulnerabilities in multiple components of the Common UNIX Printing System (CUPS) open-source printing system were discovered. These flaws could potentially allow a remote unauthenticated attacker to execute arbitrary commands on UNIX systems under certain conditions. CUPS is the most common printing system on Linux and many other UNIX-based systems, including FreeBSD, NetBSD, and OpenBSD. In addition, it plays an important role in network printing setups, where it searches for and makes available network or shared printers using the cups-browsed daemon.

Remote connections from any device on the network are automatically accepted on UDP port 631 to generate a new print as soon as the cups-browsed service is enabled. An attacker can then exploit by generating a malicious PostScript Printer Description (PPD) file and distributing it to the vulnerable cups-browsed service. Once the malicious printer has been automatically installed on the remote machine, a subsequent print job will run the malicious command contained in the PPD file. This is due to flaws in the foomatic-rip filter, which runs commands to properly render print jobs.

Given the ease of exploitation in vulnerable configurations, CanSSOC strongly encourages institutions to implement recommended mitigations. Furthermore, monitor for any suspicious activities related to these vulnerabilities and report any findings to CanSSOC through their institutional Slack channel or via security@canssoc.canarie.ca.

• CVE| CVSS3 (Affected components): The four vulnerabilities can be chained together to achieve Remote Code Execution (RCE):
  • CVE-2024-47176 | 8.4 (cups-browsed <= 2.0.1): cups-browsed binds to UDP INADDR_ANY:631, allowing any packet from any source to trigger a Get-Printer-Attributes IPP request to a malicious URL.
  • CVE-2024-47076 | 8.6 (libcupsfilters <= 2.1b1): cfGetPrinterAttributes5 does not validate or sanitize IPP attributes returned from an IPP server, allowing attacker-controlled data to flow into the CUPS system.
  • CVE-2024-47175 | 8.6 (libppd <= 2.1b1): ppdCreatePPDFromIPP2 does not validate or sanitize IPP attributes when writing to a temporary PPD file, enabling data injection into the resulting PPD file.
  • CVE-2024-47177 | 9.0 (cups-filters <= 2.0.1): The foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter.
• Impacted systems:
  • Most GNU/Linux distributions
  • Some BSD systems (FreeBSD, NetBSD, OpenBSD)
  • Google Chromium / ChromeOS
  • Oracle Solaris
  • Other UNIX-like operating systems
• Fixed version: No patches or fixed versions published at this moment.
• Active exploitation: There have been some reports of an attempted exploitation in the wild [3]. Additionally, a proof of concept has been released for these vulnerabilities.

• Disable vulnerable services: Disable and remove the cups-browsed service if not required using these commands:
  sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed
• Check service status: Use the command below, if the result shows “Active: inactive (dead),” then the system is not vulnerable. If it shows “running” or “enabled,” the system may be at risk.
  sudo systemctl status cups-browsed
• Restrict network access: Block all traffic to UDP port 631 and DNS-SD traffic if zeroconf/mDNS is not required in your environment.
• Consider removing CUPS and zeroconf services entirely: Block all traffic to UDP port 631 and DNS-SD traffic if zeroconf/mDNS is not required in your environment.
• Monitor network traffic and configuration changes to identify potential malicious activities.

• Red Hat’s response to OpenPrinting CUPS vulnerabilities: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177
• Attacking UNIX Systems via CUPS – evilsocket.net
• CANSSOC MISP threat sharing
• CUPSHax proof of concept
• Patch for critical CUPS vulnerability: Don’t panic – Internet Storm Center
• CUPS flaws enable Linux remote code execution, but there’s a catch – Bleeping Computer

As always, please contact security.response@utoronto.ca if you have any questions or concerns or feel that a device has been compromised by this vulnerability.

[*] The CanSSOC Threat Assessment has the following four scores: LOW, MEDIUM, HIGH, SEVERE.