On Sept. 23, developer and security researcher Simone Margaritelli revealed the discovery of multiple new vulnerabilities impacting OpenPrinting’s CUPS (the Common UNIX Printing System).
CUPS is the standard print spooler and scheduler for UNIX-like operating systems, including Linux and macOS. It allows computers to act as print servers, managing local and network printers.
Given CUPS’ ubiquity — it’s installed by default on numerous systems — the vulnerabilities have the potential to impact a broad range of systems. Per Margaritelli, these include “most GNU/Linux distributions, some BSDs, Oracle Solaris, and Google Chromium” in addition to possibly ChromeOS and others.
For most of our customers, the significant areas of risk are Linux-based systems as these are widely deployed. Already, we’ve seen confirmed reports about affected systems from Red Hat and Ubuntu.
However, despite the potentially extensive reach, preliminary indications are that the vulnerabilities are not as severe as other recent RCE issues (e.g. Log4Shell) but are still worth understanding and remediating.
This blog will provide a brief overview of the four CVEs currently associated with the CUPS vulnerabilities, their impact, and their fixes. For a more detailed breakdown, we highly recommend reading Margaritelli’s in-depth blog post.
CUPS Vulnerability Details
Four separate CVEs have been reported stemming from Margaritelli’s discovery. Details about the affected software with relevant CVEs follow. Please note that the version bounds refer to versions of the software that are known to be affected. Versions not in the range could also be affected; always check for the latest information about CVEs and their remediation.
cups-browsed <= 2.0.1
CVE Information: CVE-2024-47176 | 8.3 CVSS Score
cups-browsed
is a component of a CUPS installation whose job is to listen on the network for printers that announce their presence and automatically configure them. Part of the announcement is an address that cups-browsed
can connect to in order to download the full configuration information needed to print using the printer that made the announcement. The problem, however, is that by default cups-browsed
is configured to allow these announcements from any source, up to and including the public internet. What this means is that an attacker can construct a printer announcement that directs our second affected component, libcupsfilters
, to query an attacker-controlled system for more printer information.
libcupsfilters <= 2.1b1
CVE Information: CVE-2024-47076 | 8.6 CVSS Score
The second component affected is called libcupsfilters
. libcupsfilters
is a software library which contains functionality to actually fetch and process the configuration information from the location that cups-browsed
received in the printer’s announcement. A library, in programmer terms, is a body of code that contains common functionality that a developer may want to use in multiple places. In this case, it is being used by cups-browsed
.
The specific problem with libcupsfilters
is that it doesn’t check the configuration it fetches from the cups-browsed
provided source for validity or safety. These checks are called data sanitization. If libcupsfilters
were developed for systems where only a local user is configuring a printer, it might be a little more reasonable for it to not sanitize those inputs — but in this case, it’s being used by cups-browsed
. Recall that because of how cups-browsed
works by default, in reality, those inputs could have come from anywhere!
Once libcupsfilter
has fetched the configuration attributes from the filter, cups-browsed
hands that information off to the next vulnerable component in this story, libppd
.
libppd <= 2.1b1
CVE Information: CVE-2024-47175 | 8.6 CVSS Score
libppd
is another library. Its job is to generate and interact with PPD files. These files are printer description files that can be used to tell a printer driver how to operate a printer. The problem with this component is similar to the one in libcupsfilter
: after reading the configuration libcupsfilter
fetched, it generates a PPD file whose contents it does not validate for correctness or safety.
Where this becomes a problem is that one of the allowable attributes in a PPD file is an instruction to filter a print job through another piece of software as part of the printing process. Additionally, it also configures the arguments to give to this filter program from the potentially malicious configuration. CUPS does some checking around what the filtering program is, but if one of the allowable filter programs is too permissive in what it allows, an attacker could direct it to do malicious things; which leads to the final component that could be used to attack CUPS.
cups-filters <= 2.0.1
CVE Information: CVE-2024-47177 | 9.0 CVSS Score
The final affected component is cups-filters
. cups-filters
is a package that provides some of the filter programs that libppd
might use. One of them is called foomatic-rip
, and it can take as parameters arbitrary commands that it will then run. Because these come from the PPD file that libppd
generated, which ultimately could have come from an attacker, it is possible for the attacker to execute arbitrary commands when the printer is used.
Summary
The short version of this exploit is that certain configurations of cups-browsed
as well as associated CUPS libraries each have vulnerabilities that, put together, allow an attacker to execute arbitrary commands against a target system. Since the print spooler often runs at elevated privileges, this could allow an attacker to gain control of a system.
Finding and Fixing CUPS Vulnerabilities
Importantly, it’s the combination of different pieces of software put together that makes CUPS remotely exploitable. In addition, it’s likely that most servers that don’t have printing capabilities will not have any of these software packages present. The risk here is mainly on desktop systems that you may have, on servers running on non-minimal images, or servers where the minimal image contains these packages (either because the minimal image didn’t remove them, or because they were explicitly added).
While FOSSA does not offer scanning of whole computer systems for vulnerabilities, it can help identify container images in your organization that may include these vulnerable packages. FOSSA customers can determine whether they’re using the cups-browsed
, libppd
, libcups-filters
, or cups-filters
packages and are impacted by the related CVEs in the following ways
- Click on “Packages” in the header menu of the FOSSA UI, search for an impacted package, and the results will show if FOSSA finds the package within your environment.
- Click on “Packages” in the header menu of the FOSSA UI, and search by CVE (in the “Vulnerabilities” module on the bottom-right hand corner of the page).
- Click on “Issues” -> “Security” in the header menu of the FOSSA UI, search by CVE number or package, and the results will show if FOSSA finds the CVE or package within your environment.
Containers that include the vulnerable software should be rebuilt to either be based on an image that does not include them or that removes them during the build step if at all possible. You can often check what packages are installed in a base image in dockerhub. For example, the latest ubuntu image does not list any CUPS packages. It’s worth checking, but in general, it is unlikely that a container is running cups-browsed
.
Outside of FOSSA, you should also check the container hosts, virtual machines, and especially desktop systems you are running. On systemd-based (most Linux systems besides Alpine will fall into this category), you can stop the cups-browsed
service with:
systemctl stop cups-browsed
Disable it from starting automatically during boot with:
systemctl disable cups-browsed
Or check its status with:
systemctl status cups-browsed
Additionally, some distributions like Ubuntu have already published remediations, so it may be possible to address this in some systems simply by updating.