RHSB-2024-002 - OpenPrinting cups-filters

Public Date: September 26, 2024, 16:14
Updated October 4, 2024, 15:58 - Chinese, Simplified French Japanese Korean
Ongoing Status
Important Impact

Insights vulnerability analysis

View exposed systems

Executive summary

Red Hat is aware of a group of vulnerabilities identified in OpenPrinting CUPS that affect all versions of Red Hat Enterprise Linux (RHEL). These issues are rated with a severity impact of Important. As shipped in RHEL, the default configuration of the service is vulnerable. However, this service is installed in a disabled state. The affected components are not installed with the vulnerable service enabled. 

CUPS is an open source printing system that provides tools to manage, discover, and share printers. Together, if an attacker were able to use these vulnerabilities, it could potentially lead to remote code execution as the unprivileged ‘lp’ user.

While coordination with Upstream and the researcher are ongoing, at this time five CVEs have been assigned: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177, and CVE-2024-47850.

As the patches become available, we will continue to add updates.

Affected products

Red Hat products affected by CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177 and CVE-2024-47850:

Red Hat Enterprise Linux 9

Affected - Fixes will be made available for all active streams

Red Hat Enterprise Linux 8

Affected - Fixes will be made available for all active streams

Red Hat Enterprise Linux 7

Affected - Fixes will be made available for all active streams

Red Hat Enterprise Linux  6

Affected - Won’t fix, out of support scope

Updates for all affected products

Product Component(s) Advisory/Update
Red Hat Enterprise Linux 9 cups-filters RHSA-2024:7346
Red Hat Enterprise Linux 8 cups-filters RHSA-2024:7463
Red Hat Enterprise Linux 7 cups-filters RHSA-2024:7553

Technical details and background

The circumstances required to successfully exploit these vulnerabilities require certain conditions to be true. An attacker must advertise a malicious Internet Printing Protocol (IPP) service that is accessible by a victim. This can be on the public internet, or within an internal trusted network. Advertising on an internal trusted network would require a successful breach of the network, by being resident on another server or having the ability to be resident with a malicious system, such as a laptop.

To be successfully attacked, the victim must have the cups-browsed service running, which scans for available printers.  This allows an attacker to automatically add a temporary printer definition from a malicious IPP server. At this point, the malicious IPP server can send arbitrary code back to the victim as a part of the printer definition which, when triggered, will execute as the unprivileged ‘lp’ user. The victim must attempt to print from the malicious device to execute the provided code.

Note: While this does permit remote code execution in this scenario, it is limited by the privileges of the ‘lp’ user.  The ‘lp’ user cannot execute code as a privileged user or access properly-secured user data.

CVE-2024-47176 cups-browsed

CVE-2024-47076 cups-filter libcupsfilters

CVE-2024-47175 libppd cups cups-filter

CVE-2024-47177 cups-filters foomatic

CVE-2024-47850 cups-browsed cups-filters

See the CVE pages for each as the technical descriptions are updated

Detection

To determine whether or not cups-browsed is running:

$ sudo systemctl status cups-browsed 

If the output to this command indicates that the cups-browsed service is not installed, or it is inactive, the cups-browsed service is not running and cannot be tricked into connecting to a malicious IPP service.

If systemctl indicates that the service is “running” or “enabled”, examine /etc/cups/cups-browsed.conf and search for the “BrowseRemoteProtocols” directive.  If this directive has the value “cups” in the configuration file, the system is vulnerable.

Vulnerable example: BrowseRemoteProtocols dnssd cups

Mitigation

The simplest mitigation until patches are available is to disable cups-browsed.  As this impacts printer clients this is the easiest solution and does not impact the ability to print to already-known printers.  This can be done in a few ways.

Disable cups-browsed entirely:

$ sudo systemctl stop cups-browsed 

$ sudo systemctl disable cups-browsed 

If you prefer to keep cups-browsed running to automatically discover printers on your client system, you can prevent the vulnerability by making the following changes to the /etc/cups/cups-browsed.conf configuration file:

Mitigated example: BrowseRemoteProtocols none

And restarting cups-browsed:

$ sudo systemctl restart cups-browsed 

Acknowledgements

Red Hat would like to thank Simone “EvilSocket” Margaritelli for discovering and reporting these vulnerabilities and Till Kamppeter (OpenPrinting) for additional coordination support.

 

 

Comments