CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
28.0%
On Thursday, September 26, 2024, a security researcher publicly disclosed several vulnerabilities affecting different components of OpenPrinting’s CUPS (Common Unix Printing System). CUPS is a popular IPP-based open-source printing system primarily (but not only) for Linux and UNIX-like operating systems. According to the researcher, a successful exploit chain allows remote unauthenticated attackers to replace existing printers’ IPP URLs with malicious URLs, resulting in arbitrary command execution when a print job is started from the target device.
The vulnerabilities disclosed are:
cups-browsed
<= 2.0.1. The service binds on UDP *:631, trusting any packet from any source to trigger a Get-Printer-Attributes
IPP request to an attacker-controlled URL.libcupsfilters
<= 2.1b1. cfGetPrinterAttributes5
does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker-controlled data to the rest of the CUPS system.libppd
<= 2.1b1. The ppdCreatePPDFromIPP2
API does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker-controlled data in the resulting PPD.cups-filters
<= 2.0.1. The foomatic-rip
filter allows arbitrary command execution via the FoomaticRIPCommandLine
PPD parameter.According to the researcher’s disclosure blog, affected systems are exploitable from the public internet, or across network segments, if UDP port 631 is exposed and the vulnerable service is listening. CUPS is enabled by default on most popular Linux distributions, but exploitability may vary across implementations. As of 6 PM ET on Thursday, September 26, Red Hat has an advisory available noting that they consider this group of vulnerabilities of Important
severity rather than Critical.
Public exploits are available. There appeared to be roughly 75,000 CUPS daemons exposed to the public internet at time of disclosure, but notably, internet exposure search queries may not be entirely accurate — for instance, if they are checking TCP 631 (i.e., the cupsd
HTTP-based web administration service) and not UDP 631 (the affected cups-browsed
service).
We expect patches and remediation guidance to be forthcoming from affected vendors and distributions over the next few days. While the vulnerabilities are not known to be exploited in the wild at time of disclosure, technical details were leaked before the issues were released publicly, which may mean attackers and researchers have had opportunity to develop exploit code. We advise applying patches and/or mitigations as soon as they are available as a precaution, even if exploitability is more limited in some implementations.
Additional mitigation guidance:
cups-browsed
service if it is not necessaryRapid7’s own testing confirms that blocking UDP port 631 will not effectively prevent exploitation on the LAN, as there are secondary channels (e.g., mDNS) that can facilitate exploitation.
InsightVM and Nexpose customers can assess their exposure to these CVEs with authenticated checks that look for affected CUPS packages on UNIX-based systems. These checks were released in a second content release at 7:40 PM ET on Thursday, September 26. Customers We expect to update with additional checks in the coming days as vendors release fixes and more information.
InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7’s expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to exploitation of recent CUPS vulnerabilities:
Be the first to learn about the latest vulnerabilities and cybersecurity news.
Subscribe Now
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
28.0%