Introduction
On September 26th an Italian security researcher released details regarding an unauthenticated remote command execution (RCE) vulnerability affecting all GNU/Linux systems – Simone Margaritelli, known as evilsocket is a veteran of the infosec community, and you might probably know him as the father of Bettercap and Pwnagotchi projects (among others).
He spent these last few weeks researching, reporting and coordinating with major platforms such as Canonical and RedHat.
In this article we will summarise our understanding of the vulnerability (since things are still unfolding) and give you advices about how to check if you’re vulnerable and, especially, how to mitigate it.
The vulnerability
The packages affected by the RCE are ‘cups-browsed’, ‘libcupsfilters’, ‘libppd ‘, and ‘cups-filters’ which are pre-installed and always listening for connection in several operating systems.
The primary function of cups-browsed service is to automatically discover and manage network printers. This operation is performed in two main stages:
- Printer discovery - either using the CUPS or Bonjour broadcast messages
- Queue management – Once a printer is found, the application will create a link to the printer on the local machine
The vulnerability is triggered in the second stage, when a printer is added, carrying a malicious PPD (Printer Privacy Policy URI), such as:
printer-privacy-policy-uri: |
https://www.google.com/"
*FoomaticRIPCommandLine: "echo 1 > /tmp/PWNED"
*cupsFilter2 : "application/pdf application/vnd.cups-postscript 0 foomatic-rip
To trigger the command ‘echo 1>/tmp/PWNED’ however, a print job must be sent started.
Impact
A remote unauthenticated attacker can silently replace existing printers’ (or install new ones) IPP URLs with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer).
The attacker could be either in the same local network on the vulnerable machine or find exposed 631 UDP ports on the Internet.
Are you affected?
It is possible to check if your systems are running the vulnerable service by typing (on Debian / Ubuntu):
systemctl status cups-browsed
You can also check for cupsd’s listening ports via:
netstat -antup | grep cups
Finally, check the installed version via:
cups-browsed --version
If the running version of cups-browsed is <= 2.0.1, you’re vulnerable to this attack.
Mitigation
Until an official fix is released, you can disable the printing service by stopping the ‘cups-browsed’ daemon:
systemctl stop cups-browsed
systemctl disable cups-browsed
Finally, when the package maintainers will release the new patched version, you can upgrade via (in Ubuntu and Debian):
sudo apt update
sudo apt upgrade
References
Fixes on OpenPrinting / cups - https://github.com/OpenPrinting/cups/commit/96b3bdf010e78880f5764e5032720379aa1116df#diff-0156020e17b0508f5e90f5550a40f675b62c489f479486cc059ad657a9f0876dR3379
Cups-browsed GitHub issue - https://github.com/OpenPrinting/cups-browsed/issues/36
Researcher’s blogpost - https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/