CUPS vulnerabilities could put Linux systems at risk

A security researcher disclosed four Common UNIX Printing System vulnerabilities that could allow remote code execution on Linux systems, but no patches are currently available.

In a blog post published on Thursday, security researcher Simone Margaritelli disclosed four vulnerabilities in CUPS, an open-source printing program for Linux and Unix systems. The vulnerabilities are tracked as CVE-2024-47176, CVE-2024-47076, CVE-2024-47175 and CVE-2024-47177. They can be chained to allow for arbitrary command execution on the computer. Margaritelli warned that the flaws affect all Linux systems, Oracle Solaris, most UNIX systems and possibly Google Chromium and Chrome OS.

During his research, Margaritelli found the "cups-browsed" feature is responsible for discovering new printers and automatically adding them to the system. From there he examined the Internet Printing Protocol (IPP), which is how users send and manage print jobs over the network, and discovered he could add a fake printer to the local printers listing with no notification sent to the user.

"A remote unauthenticated attacker can silently replace existing printers' (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer)," Margaritelli wrote in the blog post.

Margaritelli published a proof-of-concept exploit. Affected Linux distributors and software vendors have not yet released patches.

It appears public disclosure was initially scheduled for Oct. 6, though Margaritelli claimed on X, formerly Twitter, that his research was leaked to the public, which forced him to disclose early. He recommended disabling and removing the cups-browsed service and updating the CUPS package on all systems.

The severity of the four vulnerabilities is unclear. Margaritelli said in a post on X that "Canonical, RedHat and others have confirmed the severity, a 9.9," though he later clarified that he was unfamiliar with how CVSS scores are determined. However, Red Hat did not assign scores in its public advisory for the CUPS flaws.

Tenable expanded on the vulnerabilities in a separate blog post Thursday, in which it rated one flaw, CVE-2024-47177, as critical with a 9.1 CVSS score while the other three were rated as high severity. While some in the infosec community expressed concern about the potential severity of the vulnerabilities, Tenable said it may be misplaced.

The chained flaws were being compared to Log4Shell, a critical remote code execution vulnerability discovered in the open source Log4j software package in 2021. The flaw received a 10 CVSS score and was widely targeted by nation-state threat actors, as well as ransomware groups.

"While there has been a lot of attention given to these vulnerabilities prior to disclosure, based on what has been disclosed as of September 26, these flaws are not at the level of something like Log4Shell or Heartbleed. We encourage organizations not to panic about these flaws as most attackers continue to exploit known vulnerabilities in internet facing assets," Tenable wrote in the blog post.

Tenable shared a Shodan search that found around 75,000 internet-accessible hosts running CUPS as of Thursday. However, the vulnerability management vendor stated the flaws were not exploited as zero-days.

Tenable also advised users to disable and remove cups-browsed from vulnerable systems as well as block traffic to UPD port 631, which is how CUPS communicates.

Rapid7 also addressed the vulnerabilities in a blog post on Thursday. The security vendor stated it expects patches to be released "over the next few days." However, it also warned that malicious activity could be imminent.

"While the vulnerabilities are not known to be exploited in the wild at time of disclosure, technical details were leaked before the issues were released publicly, which may mean attackers and researchers have had opportunity to develop exploit code," Rapid7 wrote in the blog post.

Like Tenable, Rapid7 urged users to read a Red Hat advisory that provides more mitigation details.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.