Critical CUPS Vulnerability Affecting Major Linux Distributions

Here’s What We Know

Recently, a group of critical vulnerabilities in the Common UNIX Printing System (CUPS) has emerged, affecting the majority of major Linux distributions. These vulnerabilities, disclosed by Simon Margaritelli, include CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177. Each of these flaws could allow remote code execution (RCE), opening the door for attackers to gain control over affected systems without authentication. The vulnerabilities primarily target the cups-browsed service, which is used across many Linux distributions, including Red Hat, Ubuntu, and Fedora.

How the Exploit Works

Margaritelli’s research into these CVEs shows how attackers can exploit port 631, which is the default for the Internet Printing Protocol (IPP), to inject malicious printer configurations via UDP packets or spoofed local network traffic. These configurations are then fetched by the CUPS service and, when a print job is initiated, the system executes the attacker’s code.

Each vulnerability plays a role in this larger attack chain:

• CVE-2024-47076: Involves flaws in handling IPP requests, allowing crafted packets to manipulate network connections.
• CVE-2024-47175: Allows exploitation through local network attacks, making internal servers vulnerable.
• CVE-2024-47176: Targets remote systems by injecting malicious printer configurations, compromising external-facing systems.
• CVE-2024-47177: Focuses on file handling, enabling attackers to manipulate print jobs and gain control over privileged services.

Together, these CVEs paint a comprehensive picture of how CUPS services are vulnerable to both remote and local network attacks.

Red Hat's Response

Red Hat has acknowledged these vulnerabilities and rated them as “Important.” While Red Hat Enterprise Linux (RHEL) is affected, the default configuration mitigates some risk because cups-browsed is not enabled by default. However, Red Hat strongly recommends disabling cups-browsed if not needed, applying firewall rules to block port 631, and preparing for patch deployment as soon as available.

Immediate Mitigation Steps

Organizations must take proactive steps to mitigate these risks, especially as patches may take time to roll out across different distributions. Here’s what you can do:

1. Disable cups-browsed if it is not essential to your operations.
2. Block port 631 to prevent external exploitation.
3. Monitor for patches and apply them as soon as your vendor releases them.

Kodem’s Unique Approach

For Kodem customers, our platform makes it easy to identify if you're exposed to these vulnerabilities. With our Runtime Intelligence and Attack Chain Analysis, you can:

• Instantly identify whether your systems are using the vulnerable libraries.
• Understand if these libraries are active in runtime, particularly in external-facing parts of your infrastructure.
• Visualize how these CVEs could be exploited in a real-world attack chain, enabling your team to prioritize effective mitigation strategies.

Kodem’s focus on runtime intelligence and attack chain analysis allows you to move beyond simple patching and truly understand the real-world implications of vulnerabilities like CVE-2024-47076 through CVE-2024-47177. Watch this short demo video to see how we do it.

This group of vulnerabilities in CUPS underscores the importance of maintaining vigilance over even fundamental services like printing. By understanding the risks, applying mitigations, and leveraging tools like Kodem, organizations can defend against these threats effectively.

Stay informed as patches are released, and for advanced attack chain analysis, contact Kodem to stay one step ahead.

‍

‍

References:

1. Simon Margaritelli, Attacking UNIX Systems via CUPS: Part I. evilsocket.net
2. Red Hat Blog, Red Hat Response to OpenPrinting CUPS Vulnerabilities. redhat.com
3. Qualys Security Blog, Critical Unauthenticated RCE Flaws in CUPS Printing Systems. blog.qualys.com
4. The Register, Critical Linux Bug is CUPS-Based Remote Code Execution Hole. www.theregister.com
5. Security Online, Critical CUPS Vulnerabilities Expose Linux and Other Systems to Remote Attacks. securityonline.info

‍