Linux systems have recently come under threat due to a set of Remote Code Execution (RCE) vulnerabilities identified in the Common Unix Printing System (CUPS). These vulnerabilities, classified as severe, have the potential to enable unauthorized attackers to run arbitrary code on compromised systems, leading to possible breaches of user and corporate data.
The CUPS Vulnerabilities
CUPS is an open-source printing system widely used in Linux and other Unix-like operating systems to manage printers and print jobs. The newly identified vulnerabilities affect multiple components within CUPS, allowing attackers to exploit network printing functionalities, particularly when listening on “UDP port 631.”
The identified vulnerabilities are:
- “CVE-2024-47176” affects cups-browsed up to version 2.0.1. Attackers can send UDP packets to port 631 to initiate a Get-Printer-Attributes IPP request to a URL they control. The process binds to “INADDR_ANY:631” without source validation, making it vulnerable to crafted packet attacks.
- “CVE-2024-47076” impacts “libcupsfilters up” to version 2.1b1. The function “cfGetPrinterAttributes5” does not validate the IPP attributes returned from a server, leaving the entire CUPS system susceptible to malicious data.
- “CVE-2024-47175” affects libppd up to version 2.1b1. The function “ppdCreatePPDFromIPP2” fails to sanitize IPP attributes when writing to a temporary PostScript Printer Description (PPD) file, enabling the injection of attacker-controlled data.
- “CVE-2024-47177” concerns cups-filters up to version 2.0.1. Within foomatic-rip, arbitrary command execution is possible via the “FoomaticRIPCommandLine” PPD parameter.
The effect of these flaws allow attackers to chain them into an exploit that can set up malicious printers on a network. Upon sending a print job to these compromised printers, attackers can execute commands on the victim machine under the privileges of the lp
user, a standard print process user.
Systems at Risk
The vulnerabilities are a risk to a range of systems, including:
- Linux servers and desktops running CUPS or cups-browsed are affected.
- NAS or VOIP devices may be vulnerable if CUPS is installed by default.
- “IoT” devices that use CUPS for printing services are also at risk.
While the lp
user typically does not have superuser (root) privileges, gaining access to this account could allow attackers to upgrade their privileges and infiltrate other parts of the network. This vulnerability could also enable automated attacks that scan for and compromise vulnerable devices across the internet.
How the Exploits Work
Attackers can use these vulnerabilities in multiple ways. Exploiting the vulnerabilities depends on the exposure of UDP port 631 on local networks or the internet. Attackers can craft UDP packets aimed at CUPS to take advantage of the system’s insufficient validation of print attributes. Attackers may also set up a man-in-the-middle situation by replacing legitimate printer URLs with malicious ones. When the compromised system discovers this “new printer” and initiates a print job, the code embedded in the PPD file is executed, resulting in remote code execution (RCE). As the cups-browsed component automatically finds and adds printers, attackers can introduce a fake printer to the system. This triggers code execution when the user prints a document to the malicious printer. Although the vulnerabilities allow RCE, exploiting them requires access to the target’s local network or bypassing firewall protections. Properly secured environments typically restrict UDP traffic, reducing the likelihood of successful exploitation.
Mitigation Strategies
Security teams should act to address these risks. Immediate actions include:
- Patch and update systems by applying security updates to CUPS immediately when available. Upgrading to secure versions is needed to address the vulnerabilities.
- Disable cups-browsed if network printing is unnecessary. This action removes the risk of exposure to potential exploits.
- Restrict network access by blocking incoming traffic to “UDP port 631” through firewalls and network configurations to prevent unauthorized access.
- Update the configuration by modifying the CUPS configuration file “(
/etc/cups/cups-browsed.conf
)” to add “BrowseDeny All
“, improving security by preventing the automatic discovery of printers
While the vulnerabilities are technically severe, real-world exploitation is expected to be low for the average desktop and workstation. These systems typically have limited exposure to the internet and do not frequently enable the "cups browsed"
by default. Servers and enterprise devices running Linux are at higher risk, especially if they are misconfigured or expose network services externally. Red Hat has advised that all versions of its Enterprise Linux distributions are affected, but systems are not vulnerable in their default configurations. The vulnerabilities have been rated as important, but are not on the scale of vulnerabilities like Log4Shell or Heartbleed. Ensuring systems are updated to address vulnerabilities is also a requirement for maintaining compliance with healthcare data privacy standards. Organizations must understand their responsibilities under HIPAA to secure electronic health information effectively, including proper encryption and privacy protections
Cybersecurity experts, including those from Rapid7 and Tenable, tell enterprises to assess and mitigate risks immediately, as the flaws provide a path for attackers to access systems if exploited​.
Image credit: Ralf, AdobeStock