RHSB-2024-002 - OpenPrinting cups-filters

Executive summary

Red Hat is aware of a group of vulnerabilities identified in OpenPrinting CUPS that affect all versions of Red Hat Enterprise Linux (RHEL). These issues are rated with a severity impact of Important, and in their default configuration are not vulnerable.

CUPS is an open source printing system that provides tools to manage, discover, and share printers. Together, if an attacker were able to use these vulnerabilities, it could potentially lead to remote code execution as the unprivileged ‘lp’ user.

While coordination with Upstream and the researcher are ongoing, at this time four CVEs have been assigned and as of this writing, there are no patches available: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177.

Affected products

Red Hat products affected by CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177:

Updates for all affected products

None currently.

Technical details and background

The circumstances required to successfully exploit these vulnerabilities require certain conditions to be true. An attacker must advertise a malicious Internet Printing Protocol (IPP) service that is accessible by a victim. This can be on the public internet, or within an internal trusted network. Advertising on an internal trusted network would require a successful breach of the network, by being resident on another server or having the ability to be resident with a malicious system, such as a laptop.

To be successfully attacked, the victim must have the cups-browsed service running, which scans for available printers.  This allows an attacker to automatically add a temporary printer definition from a malicious IPP server. At this point, the malicious IPP server can send arbitrary code back to the victim as a part of the printer definition which, when triggered, will execute as the unprivileged ‘lp’ user. The victim must attempt to print from the malicious device to execute the provided code.

Note: While this does permit remote code execution in this scenario, it is limited by the privileges of the ‘lp’ user.  The ‘lp’ user cannot execute code as a privileged user or access properly-secured user data.

CVE-2024-47176 cups-browsed

CVE-2024-47076 cups-filter libcupsfilters

CVE-2024-47175 libppd cups cups-filter

CVE-2024-47177 cups-filters foomatic

See the CVE pages for each as the technical descriptions are updated

Detection

To determine whether or not cups-browsed is running:

$ sudo systemctl status cups-browsed /p>

If the output to this command indicates that the cups-browsed service is not installed, or it is inactive, the cups-browsed service is not running and cannot be tricked into connecting to a malicious IPP service.

If systemctl indicates that the service is “running” or “enabled”, examine /etc/cups/cups-browsed.conf and search for the “BrowseRemoteProtocols” directive.  If this directive has the value “cups” in the configuration file, the system is vulnerable.  For example:

BrowseRemoteProtocols dnssd cups

Mitigation

The simplest mitigation until patches are available is to disable cups-browsed.  As this impacts printer clients this is the easiest solution and does not impact the ability to print to already-known printers.  This can be done in a few ways.

Disable cups-browsed entirely:

$ sudo systemctl stop cups-browsed 

$ sudo systemctl disable cups-browsed 

If you prefer to keep cups-browsed running to automatically discover printers on your client system, you can prevent the vulnerability by making the following changes to the /etc/cups/cups-browsed.conf configuration file:

BrowseRemoteProtocols dnssd cups

BrowseRemoteProtocols none

And restarting cups-browsed:

$ sudo systemctl restart cups-browsed 

Acknowledgements

Red Hat would like to thank Simone “EvilSocket” Margaritelli for discovering and reporting these vulnerabilities and Till Kamppeter (OpenPrinting) for additional coordination support.