A researcher has disclosed the details of an unpatched vulnerability that had been expected to pose a serious threat to many Linux systems, but it turned out to be less serious than anticipated.
On September 23, researcher Simone Margaritelli revealed that he would — in less than two weeks — disclose the details of an unauthenticated remote code execution (RCE) vulnerability affecting all GNU/Linux systems. He noted that the flaw had been assigned a CVSS score of 9.9, which led many members of the cybersecurity industry to believe that it would be a highly critical, high-impact issue.
Margaritelli indicated at the time that he was displeased with the entire responsible disclosure process, noting that no working fix had been developed, and no CVE identifier had been assigned.
Shortly after, information on the vulnerability was leaked on GitHub and it started circulating on cybercrime forums. As a result, the researcher disclosed technical details and published a proof-of-concept (PoC) exploit on Thursday.
It turns out that Margaritelli discovered several vulnerabilities related to OpenPrinting’s Common UNIX Printing System (CUPS), a popular Internet Printing Protocol (IPP) open source printing system designed mainly for Linux and UNIX-like operating systems.
Four CUPS vulnerabilities have now been disclosed and they have been assigned the identifiers CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177. They have been described as IPP attribute sanitization, command execution, and packet trust issues.
A remote, unauthenticated attacker can achieve arbitrary code execution by silently replacing IPP URLs with a malicious URL. A successful attack results in commands prepared by the attacker being executed when a print job is started from the targeted device.
“By chaining this group of vulnerabilities together, an attacker could potentially achieve remote code execution which could then lead to theft of sensitive data and/or damage to critical production systems,” Red Hat said.
Exploitation is possible both from the internet and from the local network. The search engine Shodan revealed that there are at least 75,000 internet-exposed CUPS daemons, many in South Korea and the United States.
While the vulnerability may seem highly critical and while it may appear that it could end up being exploited on a wide scale, there are some significant mitigating factors.
First of all, the CUPS vulnerabilities actually appear to have a ‘high’ severity rating rather than a ‘critical’ rating based on their revised CVSS score, which the researcher has not contested.
Red Hat, for instance, pointed out that affected packages are not vulnerable in their default configuration. In addition, exploitation of the vulnerabilities requires one of the impacted CUPS services to be manually enabled, the attacker needs to have access to a vulnerable server and provision a malicious printer, and the victim needs to start a print job.
Managed extended detection and response firm Ontinue has analyzed the vulnerabilities and determined that “real-world applicability is low”.
“An exploit for this vulnerability has been publicly disclosed and could be easily adapted to install malicious software, such as remote access tools (RATs), on compromised systems. In our assessment this makes the issue urgent for Linux systems that are printing often, in other systems this has minimal real-world exploitability,” the company explained, adding, “An attacker would still have to access the system on port 631 and have LAN access to the host while the host is printing.”
In addition, Benjamin Harris, the CEO of WatchTowr, a provider of automated red teaming and attack surface management solutions, told SecurityWeek that the vulnerabilities may only affect a subset of systems.
“The CUPS daemon and associated packages is the most widely-used way to manage printing and print services on Linux Desktop editions (think Ubuntu Desktop, in contrast to the commonly used server edition Ubuntu Server),” Harris explained.
“Given this, while the vulnerabilities in terms of technical impact are serious, it is significantly less likely that desktop machines/workstations running CUPS are exposed to the Internet in the same manner or numbers that typical server editions of Linux would be — and thus these vulnerabilities are unlikely to be the watershed moment that MS08-067, ExternalBlue and HeartBleed (that these vulnerabilities have been compared to) were,” Harris added.
Patches have yet to be released and Margaritelli claims CUPS developers have admitted that the vulnerabilities are not easy to fix. However, there are some easy mitigations, particularly for environments where printing is not needed — users can run two commands to stop a vulnerable service and prevent it from restarting when the system is rebooted. Blocking all traffic to UDP port 631 and DNS-SD traffic can also mitigate attacks.
Palo Alto Networks has published an advisory to inform customers that it has evaluated the impact of these vulnerabilities and determined that they do not affect its products and cloud services as they do not include the affected CUPS software packages.
Related: CISA Warns of Exploited Linux Kernel Vulnerability
Related: New SLUBStick Attack Makes Linux Kernel Vulnerabilities More Dangerous