Printing vulnerability affecting Linux distros raises alarm

A newly discovered series of four dangerous flaws in the Common Unix Printing System (Cups), which is used across virtually all GNU/Linux distros including Debian, Red Hat and SUSE, as well as Apple macOS and Google Chrome/Chromium among other things, is causing alarm bells to ring for security professionals over the potential scope of the problem.

The four vulnerabilities were uncovered by researcher Simone Margaritelli, aka evilsocket, who published his initial write-up and assessment after limited details were published via GitHub in what seems to have been a leak ahead of coordinated disclosure – something Computer Weekly understands was not supposed to happen until Sunday 6 October.

In his write-up, Margaritelli said that having attempted to follow a responsible disclosure process, he found himself fighting against dismissive developers who did not want to take the issue seriously.

The vulnerabilities are being tracked as CVE-2024-47176, CVE-2024-47076, CVE-2024-47175 and CVE-2024-47177 and it is believed that, collectively, more than 76,000 devices – 42,000 of which accept publicly accessible connections – may be at risk. In Margaritelli’s posting, he suggested that number may be significantly higher, with between 200,000 and 300,000 devices possibly affected. He urged users to disable and remove Cups services if they do not need it.

Cups effectively serves as a standard printing system for Unix-like operating systems that essentially lets computers act as print servers, with a machine running Cups working as a host that accepts print jobs from clients, processes them and assigns them to a printer. Enabled by default in some cases – but not in others – it is in widespread use in the wild.

When chained together, the vulnerabilities enable an unauthenticated attacker to achieve remote code execution (RCE) against vulnerable systems if they can add a “ghost” printer with a malicious Internet Printing Protocol (IPP) URL to a computer and then begin a print job on it. It does not, however, allow for an attacker to start a print job on the victim server on their own – that is to say, if machines don’t get print jobs, the attack can’t be triggered.

Saeed Abbasi, product manager for the Qualys Threat Research Unit, said: “These vulnerabilities enable a remote unauthenticated attacker to replace existing printers’ IPP URLs with malicious ones silently. Consequently, arbitrary command execution can occur on the affected computer when a print job is initiated. An attacker can send a specially crafted UDP packet to port 631 over the public internet, exploiting the vulnerabilities without any authentication. 

“Since GNU/Linux systems are widely used in enterprise servers, cloud infrastructure and critical applications, the vulnerability has a broad attack surface and potentially affects a vast number of servers, desktops and embedded devices worldwide.

“Attackers do not need valid credentials to exploit the vulnerability. The vulnerability allows attackers to execute arbitrary code, potentially gaining full control over affected systems. It has a CVSS score of 9.9, which indicates that the vulnerability is critical,” said Abbasi.

“Enterprises should assess the exposure risk of Cups systems. Limit network access, deactivate non-essential services, and implement strict access controls. Prepare for quick patching as soon as a patch is available, and thoroughly test patches to prevent service interruptions.”

Comparisons to Log4j?

The fact that the vulnerability chain carries such a high CVSS score may indicate it will be relatively trivial to exploit, and according to Brian Fox, a governing board member of the Open Source Security Foundation (OSSF) and CTO of Sonatype, drawing comparisons to Log4Shell – a vulnerability in the Apache Log4j2 Java logging library discovered in 2021 that continues to be an issue – may be apt.

“Successful exploitation could be devastating – everything from your Wi-Fi router to the grid keeping the lights on runs on Linux,” said Fox. “This combination of low complexity and high usage is reminiscent of Log4Shell, though the scale of usage here is much more significant.

“I understand the logic in phasing out disclosure, as this vulnerability will take time to find and fix, however, we should also expect threat actors to be scrutinising the commit history and looking for clues to exploit.

Fox added: “As we wait for more details to come out, enterprise security teams must scour their environments and SBOMs to understand where they might be vulnerable and be prepared to patch. Cancel your vacations … it could be a race against attackers.”

The research team at JFrog, however, took an opposing view and held off on characterising the Cups vulnerabilities as a Log4Shell-style event, saying they believed the exploitation prerequisites are actually not that common.

“While no fixed versions have been published to either the upstream projects or to any Linux distributions, those impacted can mitigate these vulnerabilities without upgrading by disabling and removing the Cups-browsed service, blocking all traffic to UDP port 63 and all DNS-SD traffic,” said Shachar Menashe, senior director of JFrog Security Research.