Partly critical gaps in Unix printing system CUPS allow code smuggling

IT security researcher Simone Margaritelli with the online handle Evilsocket has discovered four vulnerabilities in the open-source CUPS printing system that can be abused in combination to inject malicious code. Attackers must be able to send network packets to the service.

Margaritelli summarizes his findings in an emotional report. In the end, unauthenticated attackers from the network can replace the IPP URLs of existing printers with malicious ones or install new ones without being noticed. This results in arbitrary commands being executed when a print job is started on the computer.

Concatenation of security vulnerabilities

The cups-browsed component listens globally on UDP port 631, trusting any packet from any source, which triggers a Get-Printer-Attributes-IPP request to an attacker-controlled URL, Margaritelli explains. libcupsfilters do not check and filter the IPP attributes returned by an IPP server, allowing attacker-passed data to end up in the rest of the CUPS system. libppd also does not check and filter IPP attributes when writing to a temporary PPD file, allowing attacker-controlled data to end up in it. Finally, foomatic-rip allows arbitrary commands to be executed using the FoomaticRIPCommandLine PPD parameter.

For a successful attack, malicious actors must send a UDP packet to port 631; no authentication is required. This is also possible from the public Internet: Margaritelli claims to have scanned the address range of the entire Internet several times a day for several weeks. He sent prepared UDP packets to port 631 and logged which addresses established a connection back as an indication of a vulnerable installation. He received connections from hundreds of thousands of devices, between 200,000 and 300,000 at peak times, the IT security researcher explains. This invalidates the assumption that the CUPS service is not open on the network. Margaritelli cites fake zeroconf, mDNS or DNS-SD advertisements from the local network as a further attack vector.

Plugging CUPS gaps

As a countermeasure, the IT researcher recommends at least deactivating and removing the cups-browsed service –, which is used to automatically search for and add printers. Those affected should update the CUPS packages on the system. If updates are not possible or the service is required, all traffic to UDP port 631 and, if possible, all DNS-SD traffic should be blocked. He would personally uninstall CUPS completely and never use it for printing again, adds Margaritelli slightly provocatively, and would also deal with zeroconf, avahi and bonjour listeners.

The individual CVE entries according to the severity of the vulnerability have been entered in the NIST vulnerability database:

• cups-filters CVE-2024-47177, CVSS 9.0, risk"critical"
• libppd CVE-2024-47175, CVSS 8.6, high
• libcupsfilters CVE-2024-47076, CVSS 8.6, high
• cups-browsed CVE-2024-47176, CVSS 8.3, high

Ubuntu, for example, has released updated CUPS packages that close the gaps. All well-known distributions should also be distributing updates shortly or are already doing so. Admins should quickly ensure that the CUPS services are at least not accessible from the public Internet and install the available updates.

On X, Simone Margaritelli has been somewhat "riotously" pointing out the imminent publication of details as part of the Responsible Disclosure since Monday of this week. He complains a lot about the laborious and exhausting process of getting the developers to listen at all.

A security vulnerability in CUPS also became known last year. Attackers from the net were able to abuse a vulnerability in cups-filter to inject malicious code, which was due to inadequate filtering of parameters passed to the operating system.

(dmk)