Security researcher Simone Margaritelli has recently revealed details about four zero-day vulnerabilities in the Common UNIX Printing System (CUPS) that could potentially allow remote attackers to execute malicious code on vulnerable Linux and Unix-like systems. These vulnerabilities were prematurely leaked by a third party, leading to much buzz and anticipation in the cybersecurity community.
CUPS, an open-source printing system developed by OpenPrinting under The Linux Foundation, acts as a print server for computers, managing print jobs sent by client machines to printers via the Internet Printing Protocol (IPP). The vulnerabilities identified by Margaritelli, also known as EvilSocket, affect various components of CUPS, including cups-browsed, libcupsfilters, libppd, and cups-filters.
By exploiting these vulnerabilities in combination, an attacker could replace existing printer URLs with malicious ones, potentially leading to the execution of arbitrary commands when a print job is initiated on the compromised system. However, for this attack to be successful, a user must launch a print job on the manipulated printer.
According to Rapid7 researchers, systems exposed to the internet or accessible across network segments with UDP port 631 open and the vulnerable service listening are susceptible to exploitation. As CUPS is widely used in most Linux distributions and some BSD operating systems, the impact of these vulnerabilities could be significant.
In response to the disclosure, OpenPrinting has published fixes and temporary workarounds for CVE-2024-47176, with various Linux distributions currently working on integrating these patches into their packages. Margaritelli recommends disabling or removing the cups-browsed service and blocking traffic to UDP port 631 if unable to update the system immediately.
Red Hat has provided guidance for customers to check for and disable the cups-browsed service on their systems to mitigate the risk of exploitation. Tenable researchers have identified a large number of potentially vulnerable devices using internet-connected device search engines like Shodan and FOFA.
While there have been no reports of active exploitation of these vulnerabilities in the wild, proof-of-concept exploits are publicly available. Tenable senior staff research engineer Satnam Narang emphasizes the importance of prioritizing known vulnerabilities that are actively exploited by threat actors over newly disclosed flaws.
In conclusion, organizations are urged to promptly apply patches and implement recommended mitigations to secure their systems against potential exploitation. Staying vigilant against both known and emerging threats is crucial in maintaining a robust cybersecurity posture in today’s digital landscape.