The Common UNIX Printing System, or CUPS, can be abused to run malicious code on vulnerable endpoints remotely, experts have warned.
CUPS is an open-source printing system developed by Apple for Unix-like operating systems, including Linux and macOS. It provides a standardized way to manage print jobs and queues, supporting both local and network printers. CUPS uses the Internet Printing Protocol (IPP) as its primary protocol, allowing seamless printer discovery and job submission across networks. It also includes a web-based interface for managing printers, print jobs, and configurations.
Cybersecurity researcher Simone Margaritelli of Evil Socket discovered a problem in the system’s ability to discover new printers. As the researcher explains, CUPS has four vulnerabilities: CVE_2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177. These vulnerabilities, when chained together, allow threat actors to create a fake, malicious printer, and have CUPS discover it.
Roadblocks to exploitation
The moment a user tries to print something using this new device, a malicious command gets executed locally on their device.
While it sounds like a major vulnerability, Red Hat deemed it ‘important’ rather than ‘critical’, and this is mostly because there are many hoops to jump through, before the flaw can be exploited for RCE.
The first, and biggest one, is that the component named cups-browsed daemon, which looks for shared printers on the local network and enables them for printing, needs to be turned on. The researcher said that sometimes it’s turned off by default, and sometimes it’s turned on.
The second major hoop is making the victim pick the new printer that suddenly appeared out of nowhere, instead of their usual machine.
Red Hat is currently working on a fix, so a patch is not yet available. However, the easy fix is to stop the cups-browsed service from running, and to prevent it from being started on reboot.
Via BleepingComputer