CUPS (Common UNIX Printing System) vulnerabilities and their security implications

Several critical vulnerabilities have recently been discovered in the Common UNIX Printing System (CUPS), which is widely used in Linux and other UNIX-like operating systems. These vulnerabilities increase the system’s potential security threats, including vulnerabilities that could allow remote code execution. Below are the top four vulnerabilities identified in September 2024 and information about them.

Main Weaknesses:

1. CVE-2024-47076 – libcupsfilters: This vulnerability is related to invalid input validation. By exploiting this vulnerability, an attacker could execute code remotely on the system. CVSS score: 8.6.
2. CVE-2024-47175 – libppd: This vulnerability is also related to an invalid input validation issue and poses a similar risk. CVSS score: 8.6.
3. CVE-2024-47176 – cups-browsed: An unrestricted IP address binding vulnerability in the system could lead to network attacks. CVSS score: 8.4.
4. CVE-2024-47177 – cups-filters: This is the most dangerous vulnerability and allows remote code execution via command injection. CVSS score: 9.1.

Several special conditions must be met in order to successfully exploit these vulnerabilities. First, the cups-browsed service must be enabled, but this service is disabled by default on most systems. Also, the attacker must make the system appear as a printer on the local network and force the user to print through that printer.
{ https://www.tenable.com/blog/cve-2024-47076-cve-2024-47175-cve-2024-47176-cve-2024-47177-faq-cups-vulnerabilities}
{ https://www.bleepingcomputer.com/news/security/cups-flaws-enable-linux-remote-code-execution-but-theres-a-catch/}
These vulnerabilities include PostScript Printer Description (PPD) printers on the system and use a filter to print commands. For example, this process can be done before printing a command through the foomatic-rip filter. As a result of this exploit, an attacker can execute his code on the system.

Although there is a risk of remote code execution through these vulnerabilities, they are difficult to implement. The cups-browsed service will usually be disabled, and the affected printers on the network will need to be forced to print. Therefore, the likelihood of these vulnerabilities being exploited in the real world is considered low.
{ https://www.theregister.com/2024/09/26/cups_linux_rce_disclosed/}

While there are currently no updates for CUPS that fully address the vulnerabilities, there are some security measures in place. For example, users can disable the cups-browsed service using the following commands:

sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed

Meanwhile, to check the service status in the system:

sudo systemctl status cups-browsed

If the service is in “inactive (dead)” state, the system is not vulnerable, otherwise it is recommended to disable the service.
{ https://www.bleepingcomputer.com/news/security/cups-flaws-enable-linux-remote-code-execution-but-theres-a-catch/}
{ https://www.theregister.com/2024/09/26/cups_linux_rce_disclosed/}

Recent vulnerabilities in CUPS pose serious security issues, but there are many complexities to exploiting them. Administrations are encouraged to take the necessary steps now to address these vulnerabilities and protect their systems. Systems will need to be updated as soon as updates are released.