ALERT: Vulnerability in CUPS printing system

Friday, September 27, 2024

This Alert is intended for U-M IT staff who are responsible for university printers running CUPS (Common UNIX Printing System) on Linux systems or Unix-like operating systems.

Summary

In specific conditions, threat actors can combine a set of four vulnerabilities across multiple components of the CUPS open-source printing system to achieve remote code execution on vulnerable machines.

Campus systems are protected from attacks that originate from off-campus because the affected port (UDP 631) was already blocked as part of the Insecure Remote Access Protocol (IRAP) Remediation project.

Problem

If a CUPS-browsed service has manually been enabled or started, an attacker can access a vulnerable server, advertise a malicious IPP server, and provision a malicious printer. If someone attempts to print using the malicious device, the attacker could execute arbitrary code on the machine.

Threats

At the time of publication of this Alert, IA is not aware of active exploitation of these vulnerabilities, and due to mitigations already in place in addition to several obstacles that a threat actor would need to overcome, widespread exploitation may not be likely very soon.

Affected Systems

Linux systems and other systems that have the CUPS printing software installed, including devices running Unix-like operating systems, such as FreeBSD, NetBSD, and OpenBSD and their derivatives.

Detection

Red Hat has supplied the following instructions for detection, which should also be applicable to other linux distributions that utilize systems.

Run the following command to determine if cups-browsed is running:

$ sudo systemctl status cups-browsed

If the result includes “Active: inactive (dead)” then the exploit chain is halted and the system is not vulnerable. If the result is “running” or “enabled,”and the “BrowseRemoteProtocols” directive contains the value “cups” in the configuration file /etc/cups/cups-browsed.conf, then the system is vulnerable.

Action Items

Apply mitigation steps prescribed by Red Hat, which stop the cups-browsed service from running and prevent it from being started on reboot. Patches are not available at the time this Alert is being published. Watch for vendor updates and apply them when they become available, especially. for systems where the Red Hat recommendations may not be applicable.

Technical Details

See the individual CVE details linked in the References section below for technical details.

How We Protect U-M

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

Information for Users

If you manage your own Linux system, follow the recommendations in this alert and always keep systems updated.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.