Customer Advisory: New Remote Code Execution Vulnerability in printing facility (‘CUPS’) commonly found on Linux and similar systems 

Updated September 27, at 5:01 AM ET

Overview 

A new remote code execution (RCE) vulnerability has been identified in the OpenPrinting CUPS printing system, widely used in Linux and Unix-based environments.  Attackers could potentially exploit this flaw through UDP port 631, allowing them to execute arbitrary commands on vulnerable systems. 
 
In order to leverage this vulnerability, an attacker would need to access the vulnerable system from the local network, or access it from the Internet through a promiscuous firewall ‘NAT’ rule.  In turn the vulnerable system must be permitted to contact a device (controlled by the attacker) which hosts a malicious printer driver.  The exploit demonstrates novel discovery and chaining of vulnerabilities to gain system access, but real-world applicability is low. 

Though Apple systems use a related version of OpenPrinting CUPS, called Apple CUPS, this is not believed to have this vulnerability. 

Technical Details 

The issue arises due to improper handling of ‘New Printer Available’ announcements in the ‘cups-browsed’ component, combined with poor validation by ‘cups’ of the information provided by a malicious printing resource. The vulnerability stems from inadequate validation of network data, allowing attackers to get the vulnerable system to install a malicious printer driver, and then send a print job to that driver triggering execution of the malicious code. The malicious code is executed with the privileges of the lp user – not the superuser ‘root’. 

The lp user typically manages all printing services on a system and has access to key system resources required for printing operations. Though the lp account is not root, attackers can leverage their access as ‘lp’ to pivot into higher-level access or infiltrate other parts of the network. 

The risk of remote exploitation is increased by the fact that often appliances, servers, and desktop environments install cups by default, even on IOT appliances like NAS servers, or VOIP servers. 

Once an attacker exploits this vulnerability – which is likely to occur in automated scans of the whole internet, or from compromised devices within the private network enclave, they are likely to install Remote Access Trojan software to maintain access even after the device has been patched or this vulnerability otherwise mitigated.  Privilege escalation using other vulnerabilities is then often performed to gain root access, a necessary step to examine the entire system and its information. 

Mitigations: 

The vulnerability lies in improper input validation when managing printers and print requests over the network. The fix addresses this by ensuring that inputs are properly sanitized and validated before being processed. By restricting the acceptance of new printers and new printer driver files, the fix prevents arbitrary code execution by an attacker. 

Specifically, adding the configuration directive: “BrowseDeny All” to the configuration file /etc/cups/cups-browsed.conf helps disable remote printer discovery, the initial attack vector for this vulnerability.  For environments that don’t require printing, disabling CUPS entirely is a safer option. 

Urgency and Exploit Availability 

In our assessment, as an attacker would need to have unfiltered access to UDP port 631 of the vulnerable device, potential for exploitation is likely only for environments with overly promiscuous firewall configurations, or mobile devices (laptops only – Android devices do not use OpenPrinting CUPS) connected to shared WIFI networks.  This is uncommon and against best practices where local and network firewalls should be used to block all but necessary communication by default. 

An exploit for this vulnerability has been publicly disclosed and could be easily adapted to install malicious software, such as remote access tools (RATs), on compromised systems. 

Mitigation Steps:

• Identify Vulnerable Systems: Ensure that any system using cups-browsed or connected to printers is reviewed, including network devices such as NAS or VOIP servers.
• Patch Immediately: Install the relevant patches and security updates for CUPS. 
• Disable CUPS if Not Needed: For systems that do not require printing services, disable CUPS using the following commands: 
• Restrict Network Access: Block access to UDP port 631 at the firewall level to reduce the risk of remote exploitation. 
• Update CUPS Configuration: For systems that must continue using CUPS, modify /etc/cups/cups-browsed.conf by adding: 
  • BrowseDeny All

Identifying potentially vulnerable systems using Microsoft Defender Advanced Hunting 
 
To help security teams identify systems potentially affected by this vulnerability and open to potential exploitation, the following advanced hunting query can be used in Microsoft Defender for Endpoint: 
 
DeviceProcessEvents | where TimeGenerated between (ago(90d) .. now() ) | where FileName == @’cups-browsed’ or InitiatingProcessFileName == @’cups-browsed’ 
 
This query searches for process events where a process called “cups-browsed” was executed within the past 90 days.  
 
Conclusion 

This vulnerability is interesting due to its remote code execution potential and the public availability of an exploit. Immediate steps should be taken to patch vulnerable systems that need to run CUPS, restrict network access, and ensure that CUPS configurations are hardened. Attackers who gain control of the lp user could use this as a launchpad for further attacks within the network. This is unlikely to be exploited unless an attacker is already present in your network, but would likely be used as a form of persistence, or to pivot into other networks obtaining increased access.  

For further details on the vulnerability and how it works, please refer to the full disclosure report. 

https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/  
and https://www.redhat.com/en/blog/red-hat-response-openprinting-cups-vulnerabilities