Patch for Critical CUPS vulnerability: Don't Panic, (Thu, Sep 26th)

SANS Internet Storm Center, InfoCON: green 2024-09-26

These last two days, a lot has been talked about a "Doomsday 9.9 RCE bug'" in Linux [1]. We now have some additional details from Simone Margaritelli, who discovered and reported the vulnerabilities.

BLUF:

CUPS may use "filters", executables that can be used to convert documents. The part responsible ("cups-filters") accepts unverified data that may then be executed as part of a filter operation. An attacker can use this vulnerability to inject a malicious "printer". The malicious code is triggered once a user uses this printer to print a document. This has little or no impact if CUPS is not listening on port 631, and the system is not used to print documents (like most servers). An attacker may, however, be able to trigger the print operation remotely. On the local network, this is exploitable via DNS service discovery. A proof of concept exploit has been made available.

There is no patch right now. Disable and remove cups-browserd (you probably do not need it anyway). Update CUPS as updates become available. Stop UDP traffic on Port 631.

For a lot more details, see: https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

The Vulnerabilities

CVE-2024-47176

This is a vulnerability in cups-browsed (up to version 2.0.1). This daemon listens for UDP packets on port 631. cups-browsed uses DNS service discovery to automatically discover printers and make them available to the user. As part of the exchange with printers, it will receive various URLs that it may use to retrieve additional information. These URLs are not properly validated, allowing attackers to trick cups-browsed to request arbitrary URLs.

CVE-2024-47076

libcupsfilters (up to version 2.1b1) replaces an older filter-architecture. It could be used to modify ("filter") files to adjust formats to make them printable on a specific printer. Like the prior issue, it is subject to the attacker providing malicious data that will be passed to other CUPS components.

CVE-2024-47115

libppd (up to version 2.1b1) also does not validate IPP attributes and adds them to the PPD file that is then passed to drivers and other components.

CVE-2024-47177

cups-filters (2.0.1) is the part that will allow the arbitrary command execution triggered by invalid PPD parameters. cups-filters execute external code ("filters") to convert files. Accepting data from unverified external sources, arbitrary code may be executed. In particular, the "foomatic-rip" filter allows the attacker to provide an arbitrary command line.

[1] https://www.theregister.com/2024/09/26/unauthenticated_rce_bug_linux/ [2] https://openprinting.github.io/cups/

--- Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.