RHSB-2024-002 - OpenPrinting cups-filters
Updated
Executive summary
Red Hat is aware of a group of vulnerabilities identified in OpenPrinting CUPS that affect all versions of Red Hat Enterprise Linux (RHEL). These issues are rated with a severity impact of Important. As shipped in RHEL, the default configuration of the service is vulnerable. However, this service is installed in a disabled state. The affected components are not installed with the vulnerable service enabled.
CUPS is an open source printing system that provides tools to manage, discover, and share printers. Together, if an attacker were able to use these vulnerabilities, it could potentially lead to remote code execution as the unprivileged ‘lp’ user.
While coordination with Upstream and the researcher are ongoing, at this time five CVEs have been assigned: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177, and CVE-2024-47850.
As the patches become available, we will continue to add updates.
Affected products
Red Hat products affected by CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177 and CVE-2024-47850:
Red Hat Enterprise Linux 9 |
Affected - Fixes will be made available for all active streams |
Red Hat Enterprise Linux 8 |
Affected - Fixes will be made available for all active streams |
Red Hat Enterprise Linux 7 |
Affected - Fixes will be made available for all active streams |
Red Hat Enterprise Linux 6 |
Affected - Won’t fix, out of support scope |
Updates for all affected products
Product | Component(s) | Advisory/Update |
Red Hat Enterprise Linux 9 | cups-filters | RHSA-2024:7346 |
Red Hat Enterprise Linux 8 | cups-filters | RHSA-2024:7463 |
Red Hat Enterprise Linux 7 | cups-filters | RHSA-2024:7553 |
Technical details and background
The circumstances required to successfully exploit these vulnerabilities require certain conditions to be true. An attacker must advertise a malicious Internet Printing Protocol (IPP) service that is accessible by a victim. This can be on the public internet, or within an internal trusted network. Advertising on an internal trusted network would require a successful breach of the network, by being resident on another server or having the ability to be resident with a malicious system, such as a laptop.
To be successfully attacked, the victim must have the cups-browsed service running, which scans for available printers. This allows an attacker to automatically add a temporary printer definition from a malicious IPP server. At this point, the malicious IPP server can send arbitrary code back to the victim as a part of the printer definition which, when triggered, will execute as the unprivileged ‘lp’ user. The victim must attempt to print from the malicious device to execute the provided code.
Note: While this does permit remote code execution in this scenario, it is limited by the privileges of the ‘lp’ user. The ‘lp’ user cannot execute code as a privileged user or access properly-secured user data.
CVE-2024-47176 cups-browsed
CVE-2024-47076 cups-filter libcupsfilters
CVE-2024-47175 libppd cups cups-filter
CVE-2024-47177 cups-filters foomatic
CVE-2024-47850 cups-browsed cups-filters
See the CVE pages for each as the technical descriptions are updated
Detection
To determine whether or not cups-browsed is running:
$ sudo systemctl status cups-browsed
If the output to this command indicates that the cups-browsed service is not installed, or it is inactive, the cups-browsed service is not running and cannot be tricked into connecting to a malicious IPP service.
If systemctl indicates that the service is “running” or “enabled”, examine /etc/cups/cups-browsed.conf and search for the “BrowseRemoteProtocols” directive. If this directive has the value “cups” in the configuration file, the system is vulnerable.
Vulnerable example: BrowseRemoteProtocols dnssd cups
Mitigation
The simplest mitigation until patches are available is to disable cups-browsed. As this impacts printer clients this is the easiest solution and does not impact the ability to print to already-known printers. This can be done in a few ways.
Disable cups-browsed entirely:
$ sudo systemctl stop cups-browsed
$ sudo systemctl disable cups-browsed
If you prefer to keep cups-browsed running to automatically discover printers on your client system, you can prevent the vulnerability by making the following changes to the /etc/cups/cups-browsed.conf configuration file:
Mitigated example: BrowseRemoteProtocols none
And restarting cups-browsed:
$ sudo systemctl restart cups-browsed
Acknowledgements
Red Hat would like to thank Simone “EvilSocket” Margaritelli for discovering and reporting these vulnerabilities and Till Kamppeter (OpenPrinting) for additional coordination support.
Comments