Critical Unauthenticated RCE Vulnerability Discovered in All Linux Systems



A critical remote code execution (RCE) vulnerability has been discovered in the Common Unix Printing System (CUPS), impacting all GNU/Linux systems. Uncovered by Simone Margaritelli, the flaw includes four CVEs (CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177) and allows unauthenticated attackers to execute arbitrary commands on affected systems, posing a severe security risk.

Margaritelli, who initially disclosed the vulnerability, has now provided detailed technical insights into how the flaws can be exploited. The vulnerabilities involve the CUPS system’s failure to properly sanitize or validate certain Internet Printing Protocol (IPP) attributes, leading to the potential for malicious attackers to manipulate printer configurations and execute arbitrary code.

For example:

  • CVE-2024-47176: The cups-browsed service listens on UDP port 631 and accepts untrusted packets, allowing an attacker to trigger requests to a malicious URL.
  • CVE-2024-47076: The libcupsfilters library fails to sanitize IPP attributes, letting attacker-controlled data infiltrate the system.
  • CVE-2024-47175: The libppd library allows the injection of malicious IPP attributes into PPD files.
  • CVE-2024-47177: The cups-filters package enables arbitrary command execution via the FoomaticRIPCommandLine parameter.

Margaritelli demonstrated how these vulnerabilities could be leveraged to gain RCE on a fully patched Ubuntu 24.04.1 LTS system running cups-browsed 2.0.1. Attackers can exploit the flaw remotely, replacing printer IPP URLs with malicious ones, causing arbitrary command execution when a print job is initiated.

These vulnerabilities are exploitable via both public internet (WAN) and local networks (LAN), where attackers can send packets to UDP port 631 or spoof network advertisements. Scans of public IPv4 addresses revealed widespread exposure, with thousands of devices vulnerable to potential attacks.

Shodan data indicates that over 73,000 CUPS servers are accessible via UDP port 631, further amplifying the threat.

The vulnerabilities affect most GNU/Linux distributions, various BSD systems, Google Chromium/ChromeOS, Oracle Solaris, and potentially other platforms where CUPS and cups-browsed are used.

The issues have been reported to the OpenPrinting project, and some patches have been released. However, the researcher voiced frustration with the responsible disclosure process, citing delays and dismissiveness from developers.

A Red Hat engineer initially assigned the vulnerability a CVSS score of 9.9, highlighting its severity. While the researcher suggests the score might be slightly inflated, the ease of exploitation and widespread use of the affected package make this a critical security concern.

Red Hat

Recommendations

  • Disable and remove the cups-browsed service if not needed.
  • Update the CUPS package through available security patches.
  • If updates cannot be applied, block UDP port 631.
  • Consider blocking DNS-SD traffic as well.

To mitigate the risk, users are advised to disable and remove cups-browsed, update CUPS, and block relevant ports. Additionally, the researcher recommends removing all CUPS-related services, binaries, and libraries, and avoiding the use of zeroconf/avahi/bonjour listeners.

Share this post :