Vulnerability in CUPS printing system
This Alert is intended for U-M IT staff who are responsible for university printers running CUPS (Common UNIX Printing System) on Linux systems or Unix-like operating systems.
Summary
In specific conditions, threat actors can combine a set of four vulnerabilities across multiple components of the CUPS open-source printing system to achieve remote code execution on vulnerable machines.
Campus systems are protected from attacks that originate from off-campus because the affected port (UDP 631) was already blocked as part of the Insecure Remote Access Protocol (IRAP) Remediation project.
Problem
If a CUPS-browsed service has manually been enabled or started, an attacker can access a vulnerable server, advertise a malicious IPP server, and provision a malicious printer. If someone attempts to print using the malicious device, the attacker could execute arbitrary code on the machine.
Threats
At the time of publication of this Alert, IA is not aware of active exploitation of these vulnerabilities, and due to mitigations already in place in addition to several obstacles that a threat actor would need to overcome, widespread exploitation may not be likely very soon.
Affected Systems
Linux systems and other systems that have the CUPS printing software installed, including devices running Unix-like operating systems, such as FreeBSD, NetBSD, and OpenBSD and their derivatives.
Detection
Red Hat has supplied the following instructions for detection, which should also be applicable to other linux distributions that utilize systems.
Run the following command to determine if cups-browsed is running:
$ sudo systemctl status cups-browsed
If the result includes “Active: inactive (dead)” then the exploit chain is halted and the system is not vulnerable. If the result is “running” or “enabled,”and the “BrowseRemoteProtocols” directive contains the value “cups” in the configuration file /etc/cups/cups-browsed.conf, then the system is vulnerable.
Action Items
Apply mitigation steps prescribed by Red Hat, which stop the cups-browsed service from running and prevent it from being started on reboot. Patches are not available at the time this Alert is being published. Watch for vendor updates and apply them when they become available, especially. for systems where the Red Hat recommendations may not be applicable.
Technical Details
See the individual CVE details linked in the References section below for technical details.
How We Protect U-M
ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.
Information for Users
If you manage your own Linux system, follow the recommendations in this alert and always keep systems updated.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.
References
- CUPS flaws enable Linux remote code execution, but there’s a catch (Bleeping Computer, 9/26/24)
- Red Hat’s response to OpenPrinting CUPS vulnerabilities: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177 (Red Hat Blog, 9/26/24)
- CUPS vulnerabilities affecting Linux, Unix systems can lead to RCE (Help Net Security, 9/27/24)
- CVE-2024-47176 Detail (NIST, 9/26/24)
- CVE-2024-47076 Detail (NIST, 9/26/24)
- CVE-2024-47175 Detail (NIST, 9/26/24)
- CVE-2024-47177 Detail (NIST, 9/26/24)