Critical Printing System Flaws Expose Linux to Remote Code Execution

A series of critical zero-day vulnerabilities in the Common UNIX Printing System (CUPS) service allow unauthenticated remote code execution (RCE) on various UNIX systems, affecting potentially hundreds of thousands of devices. This discovery, made by security researcher Simone Margaritelli (aka @evilsocket), reveals that the flaws can be exploited to gain control over vulnerable systems through malicious printer additions.

Summary of printing flaws

The vulnerabilities are mainly associated with CUPS, a widespread printing system on GNU/Linux and other UNIX systems, and are identified as follows:

• CVE-2024-47176 (CVSS 8.6): The cups-browsed component, version <= 2.0.1, binds to UDP INADDR_ANY:631, allowing any packet from any source to trigger an IPP (Internet Printing Protocol) request to a malicious URL.
• CVE-2024-47076 (CVSS 8.6): In libcupsfilters, version <= 2.1b1, the function cfGetPrinterAttributes5 does not validate or sanitize IPP attributes from servers, leading to untrusted data being fed into the CUPS system.
• CVE-2024-47175 (CVSS 8.6): libppd, version <= 2.1b1, contains ppdCreatePPDFromIPP2 which similarly does not sanitize IPP attributes, allowing injection of controlled data into temporary PPD files.
• CVE-2024-47177 (CVSS 9.9): The foomatic-rip filter in cups-filters, version <= 2.0.1, enables arbitrary command execution through the FoomaticRIPCommandLine PPD parameter, allowing full remote code execution when print jobs are initiated.

Together, these vulnerabilities allow an attacker to remotely exploit a machine by injecting a rogue IPP printer and executing arbitrary commands whenever a print job is initiated.

Discovery and impact

During a routine network audit, Margaritelli identified that the cups-browsed service was listening on all network interfaces (0.0.0.0:631) via UDP, effectively exposing the service to any network traffic, including the internet. This binding to INADDR_ANY makes it accessible over all interfaces (LAN, WAN, VPN), leading to the first vulnerability.

The attack chain involves sending a malicious UDP packet to port 631, which tricks the cups-browsed service into connecting back to an attacker-controlled IPP server. This server then responds with specially crafted attributes that, when saved into a PPD file, allow command injection through the FoomaticRIPCommandLine directive. Since foomatic-rip has historically allowed arbitrary command execution and lacks proper sanitization in CUPS, the vulnerability is particularly dangerous.

The wide distribution of CUPS across UNIX-based systems, including Linux distributions like Debian, Ubuntu, Red Hat/Fedora, Arch Linux, and potentially Google's ChromeOS and Oracle Solaris, makes this vulnerability widespread. According to the researcher, a scan of public IPv4 ranges revealed connections from hundreds of thousands of devices running vulnerable versions of cups-browsed.

Technical details

The cups-browsed service expects a packet with a format HEX_NUMBER HEX_NUMBER TEXT_DATA. Due to a lack of configuration in most default setups, any incoming packet is accepted without validation.

Upon receipt of a packet with a URL pointing to an attacker-controlled IPP server, cups-browsed initiates a request to the server. The attacker then controls the response, sending specially crafted IPP attributes that lead to the execution of a command.

The response from the attacker-controlled server is stored in a PPD file without proper sanitization. Since PPD files contain configuration details for printers, including executable filters, the attacker can exploit this to inject malicious PPD directives.

A vulnerability in foomatic-rip allows the injection of the FoomaticRIPCommandLine directive, which runs arbitrary shell commands when a print job is sent to the compromised printer.

The following attack chain results from these flaws:

• An attacker scans for devices with an open UDP port 631.
• A malicious IPP packet is sent to the target, tricking it into connecting back to an IPP server controlled by the attacker.
• The attacker's server responds with IPP attributes designed to inject malicious PPD directives.
• Once a print job is sent to the rogue printer, the malicious command is executed on the target system, achieving RCE.

Who is Vulnerable?

Any UNIX-based system packaged with the CUPS service may be vulnerable. This includes linux distributions such as Ubuntu, Debian, Arch Linux, Red Hat, Fedora, and openSUSE. Notably, Red Hat has the cups-browsed service disabled by default, which reduces the risk.

Systems such as some BSD variants, Solaris, and potentially ChromeOS, may also be vulnerable depending on whether they enable the CUPS service by default (many do), making this vulnerability significant for a large number of servers and devices.

Mitigation and Defense

As no patched versions have been released yet, users can mitigate these vulnerabilities by performing at least one of the following actions:

Disable and remove the cups-browsed service (if not needed) by using the following command:

sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed

Also, consider blocking all traffic to UDP port 631 and all DNS-SD traffic, especially if zeroconf is used.

Exploit Proof of Concept (PoC)

A fully weaponized exploit has been published and is available on GitHub. The exploit sends a UDP packet to a target device, which initiates a connection to an IPP server. This server then responds with malicious attributes that allow a PPD file injection and subsequent execution of arbitrary shell commands when a print job is started.

By sending a specially crafted packet to a device's open UDP 631 port, an attacker can reveal the kernel version and CUPS version via the User-Agent header of the returning HTTP request.

A published PoC video shows how a fully patched Ubuntu 24.04.1 LTS system running cups-browsed 2.0.1 is remotely compromised, with the attacker achieving RCE through the exploit chain.

Margaritelli expressed frustration with the responsible disclosure process, citing the slow and dismissive response from developers and security teams. After a series of leaks during the disclosure process, the vulnerabilities were publicly disclosed on September 26, 2024.

Given this development, users are advised to disable cups-browsed, apply network-level blocks, and stay updated for any security patches released by their operating system vendors.