Remote Code Execution Vulnerability Alert of Unix CUPS Print Service (CVE-2024-47076 / CVE-2024-47175 / CVE-2024-47177)

Remote Code Execution Vulnerability Alert of Unix CUPS Print Service (CVE-2024-47076 / CVE-2024-47175 / CVE-2024-47177)

September 29, 2024 | NSFOCUS

Overview

Recently, NSFOCUS CERT monitored the disclosure of the details of remote code execution vulnerabilities for Unix CUPS printing service on the Internet. When the system enables cups-browsed process listening (default port 631) to receive UDP packets, unauthenticated attackers induce victims to configure by constructing a malicious IPP server. When using the printing service, they can construct malicious requests to execute arbitrary commands on the victim’s machine. To take control of the target server. Whether the vulnerability can be actually exploited depends on the specific environment of the target (for example, there is a print task). At present, the details of the vulnerability and some PoC have been disclosed. Relevant users are requested to take measures for protection as soon as possible.

CVE-2024-47076: An improper input validation vulnerability exists in the libcupsfilters library, and an attacker can send malicious data to the CUPS system, causing attacker-controlled data to interact with the rest of the CUPS system.

CVE-2024-47175: An improper input verification vulnerability exists in the libppd library. Unverified IPP data may be written into a temporary PPD file, causing an attacker to inject malicious data.

CVE-2024-47176: When processing a network print task, the cups-browsed service binds INADDR_ANYaddress through UDP port 631. An unauthenticated attacker can send special packets to a controlled URL and execute arbitrary commands on the target system.

CVE-2024-47177: A command injection vulnerability exists in the cups-filters library, and an attacker can execute any command through the FoomaticRIPCommandLine PPD parameter.

CUPS (Common UNIX Printing System) is a universal open-source Unix printing system, which mainly uses IPP (Internet Printing Protocol) and other protocols to manage print jobs and queues. Cups-browsed is an open source print service component that is part of CUPS.

Scope of Impact

Affected Version

CVE-2024-47176

  • cups-browsed <= 2.0.1

CVE-2024-47076

  • libcupsfilters <= 2.1b1

CVE-2024-47175

  • libppd <= 2.1b1

CVE-2024-47177

  • cups-filters <= 2.0.1

Note: The above vulnerabilities affect Unix-based systems with CUPS services such as Ubuntu, Debian, Red Hat/Fedora, Arch Linux, openSUSE and Slackware.

Detection

Users can view the status of the cups-browsed service on the host by using the following command: systemctl status cups-browsed OR service cups-browsed status

If the result shows “Active: inactive (dead)”, the system is not affected by the above vulnerabilities. If the service is “running” or “enabled”, there is a corresponding security risk to the system.

Mitigation

Official upgrade

At present, no new version has been officially released to fix the vulnerabilities. Please pay attention to: https://github.com/OpenPrinting/cups-browsed/releases

Canonical (Ubuntu developer), Debian, Red Hat and other distribution development companies have issued security notices for the above vulnerabilities. It is recommended that affected users take corresponding measures to protect them in time:

https://www.redhat.com/en/blog/red-hat-response-openprinting-cups-vulnerabilities

https://security-tracker.debian.org/tracker/CVE-2024-47176 https://ubuntu.com/security/notices/USN-7043-1

Other protective measures

If relevant users cannot upgrade temporarily, the following measures can also be taken for temporary protection:

Set cups-browsed (default port 631) to prohibit receiving UDP packets or restrict whitelist access;

If there is no service requirement, you are advised to disable the cups-browsed process.

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, a pioneering leader in cybersecurity, is dedicated to safeguarding telecommunications, Internet service providers, hosting providers, and enterprises from sophisticated cyberattacks.

Founded in 2000, NSFOCUS operates globally with over 4000 employees at two headquarters in Beijing, China, and Santa Clara, CA, USA, and over 50 offices worldwide. It has a proven track record of protecting over 25% of the Fortune Global 500 companies, including four of the five largest banks and six of the world’s top ten telecommunications companies.

Leveraging technical prowess and innovation, NSFOCUS delivers a comprehensive suite of security solutions, including the Intelligent Security Operations Platform (ISOP) for modern SOC, DDoS Protection, Continuous Threat Exposure Management (CTEM) Service and Web Application and API Protection (WAAP). All the solutions and services are augmented by the Security Large Language Model (SecLLM), ML, patented algorithms and other cutting-edge research achievements developed by NSFOCUS.