Luci Stanescu
on 26 September 2024
CUPS Remote Code Execution Vulnerability Fix Available
Four CVE IDs have been assigned that together form an high-impact exploit chain surrounding CUPS: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177.
Canonical’s security team has released updates for the cups-browsed, cups-filters, libcupsfilters and libppd packages for all supported Ubuntu LTS releases. The updates remediate CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, while CVE-2024-47177 is addressed by the other 3 vulnerabilities being patched. For ESM releases, fixes for CVE-2024-47175 and CVE-2024-47176 are available to address the overall vulnerability. Information on the affected versions can be found in the CVE pages linked above. If you have any of these installed, our recommendation is to update as soon as possible. Read on to learn more about the details.
Remediation update
On 8th October 2024, the Ubuntu Security Team released a security update that removed support for the CUPS legacy protocol from the cups-browsed component in all standard support releases. The obsolete protocol has been replaced by the use of DNS-SD and is no longer necessary for compatibility with CUPS from version 1.6.0, which is found in Ubuntu 14.04 LTS and newer releases. This was done to reduce the attack surface and in response to the possibility of print servers being used in reflective DDoS attacks through this functionality.
How the exploit chain works
At its core, the vulnerability is exploited by tricking CUPS into generating an attacker-controlled PPD (PostScript Printer Description) file for a printer containing an arbitrary command. Whenever the next print job is sent to the printer in question, the command will be executed as the lp user (this is the user that the CUPS daemon runs as and, barring other exploitable vulnerabilities, would not have escalated privileges).
Generating the manipulated PPD file in the first place can be achieved through two routes:
- On the local network, mDNS can be used to automatically register a new printer or to replace the PPD file associated with an existing printer. This requires the attacker to be able to generate the multicast datagrams and have them reach the cups-browsed daemon (port 631). With multicast traffic not being forwarded over the Internet, the attack vector here is reduced, but still considerable.
- Over any network, including the Internet, a legacy UDP-based protocol can be used to register a new printer with a malicious PPD file. This requires the attacker to be able to send a UDP datagram to port 631, handled by cups-browsed, on the target host. A firewall (or NAT router) can prevent this attack vector.
Who is affected
CUPS or, more specifically, cups-browsed is generally installed on desktop computers and servers configured as print servers. The exploit chain is not completed unless a print job is sent – so if you never print, no command execution could have happened, even if the vulnerable packages were installed and a malicious actor attempted the exploit.
We recommend that anyone that has the affected packages installed apply the security update as soon as possible. Servers without appropriate firewall rules and laptop computers that may connect to untrusted networks are particularly at risk.
How to address
We recommend you upgrade all packages, followed by a restart of the CUPS daemon:
sudo apt update && sudo apt upgrade
sudo systemctl restart cups.service
If this is not possible, the affected components can be targeted:
sudo apt update && sudo apt install --only-upgrade cups-browsed cups-filters cups-filters-core-drivers libcupsfilters2t64 libppd2 libppd-utils ppdc
sudo systemctl restart cups
The unattended-upgrades feature is enabled by default from Ubuntu 16.04 LTS and onwards. This service:
- Applies new security updates every 24 hours automatically
- If you have this enabled, the patches above will be automatically applied within 24 hours
- However, we still recommend restarting the CUPS daemon using systemctl restart cups.service
Mitigation
The strongest protection is to apply the security updates. The following mitigations have been explored, but have limitations and can cause unintended side effects.
For desktop computers, removing the cups-browsed component or disabling the network protocols would affect the ability to detect network printers.
For print servers, disabling network printer detection can be considered an adequate mitigation, as the already configured printers would continue to be available, but, on Ubuntu systems, modifying the associated configuration file would stop future unattended upgrades from completing successfully. For this reason, we do not recommend this approach. If security updates cannot be applied, you should only follow the following steps as a last resort and restore the original configuration file once updates are applied.
The following mitigation steps remove a print server’s ability to detect new network printers and stop the injection of the malicious PPD file:
- Edit /etc/cups/cups-browsed.conf
- Search for the BrowseRemoteProtocols configuration option
- Set the option to none (the default value is “dnssd cups”)
- Restart cups-browsed using systemctl restart cups-browsed
The importance of coordinated disclosure
These issues received a lot of attention before public disclosure. Vulnerabilities are normally discussed between the reporter, the affected projects and Linux distributions, such as Ubuntu, under an embargo, so that security updates can be prepared and released under coordinated disclosure simultaneously by all software vendors. Sometimes, information can leak and this has the potential to put users at risk.
We encourage everyone to consider the greater good. In this instance, the coordinated disclosure date had to be moved up, balancing the need for adequate preparation and delivering updates as soon as possible. This affected our plan to simultaneously release security updates for all Ubuntu versions, including ESM.
During coordinated vulnerability responses, Canonical recommends that embargoed issues are worked on discreetly. If disagreements come up during disclosure, third-party coordinators, such a CERT/CC’s VINCE, can step in to mediate discussion.
Further reading
The Ubuntu Security Team is responsible for preparing timely security updates when vulnerabilities are discovered. We do this for a large range of open-source software to help reduce supply chain risks. For more information on vulnerability management, read our introductory guide.
References
https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/
https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5
https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6
https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8
https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47
https://ubuntu.com/security/CVE-2024-47076
https://ubuntu.com/security/CVE-2024-47175
https://ubuntu.com/security/CVE-2024-47176
https://ubuntu.com/security/CVE-2024-47177
https://ubuntu.com/security/notices/USN-7041-1
https://ubuntu.com/security/notices/USN-7042-1
https://ubuntu.com/security/notices/USN-7043-1
https://ubuntu.com/security/notices/USN-7044-1
https://ubuntu.com/security/notices/USN-7045-1
https://www.cve.org/CVERecord?id=CVE-2024-47076
https://www.cve.org/CVERecord?id=CVE-2024-47175
https://www.cve.org/CVERecord?id=CVE-2024-47176
https://www.cve.org/CVERecord?id=CVE-2024-47177