Josh Philliban
Cyber Security Assessor
Josh Philliban Linked In
Understanding the recent CUPS vulnerability and how to protect your system
Recently, security researcher Simone Margaritelli discovered a critical vulnerability affecting the Common Unix Printing System (CUPS), which is used in many Linux distributions and other operating systems like BSDs, Google ChromeOS, Oracle's Solaris, and potentially MacOS. This vulnerability, which has an estimated severity score of 9.9 out of 10, allows a remote, unauthenticated attacker to execute arbitrary commands on a target system by exploiting the CUPS service on UDP port 631.
Key points:
- Disable or remove cups-browsed service: if you don't need CUPS, consider removing it from your system. If you do need it, ensure that the CUPS-browsed service is disabled or removed.
- Update your CUPS installation: keep your CUPS installation up to date with the latest security patches.
- Block access to UDP port 631: to prevent potential exploitation, block access to UDP port 631 and consider blocking DNS-SD as well.
- Chain of Vulnerabilities: This exploitation is achieved through the following chain of vulnerabilities: CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177
How the vulnerability works:
An attacker can send a packet to UDP port 631 on a vulnerable machine, causing the machine to reach out to a server controlled by the attacker. The server then feeds a payload of commands to the target, which are written to a temporary PPD file. When a print job is started, these commands are executed, leading to arbitrary command execution on the target system.
Tips to discover if UDP port 631 is Open:
To check if UDP port 631 is open on your system, you can use the following command:
sudo netstat -an | grep 631
This command will list all open ports and filter the results to show only those related to port 631.
To conduct a port scan for open ports, you can use a tool like Nmap. Here is a basic command to scan for open ports:
nmap -p 631 [target_ip]
Replace [target_ip] with the IP address of the target system. This command will scan UDP port 631 on the specified target.
For a more comprehensive scan, you can use:
nmap -sU -p 631 [target_ip]
This command will perform a UDP scan on port 631.
You can also configure any vulnerability management scanning (VMS) tool to scan ranges for open UDP port 631
How to check if your Linux Distro has CUPS installed:
To check if CUPS is installed on your Linux distribution, you can use the following command:
dpkg -l | grep cups
This command will list all installed packages and filter the results to show only those related to CUPS.
By following these steps, you can ensure that your system is protected against this critical vulnerability. Stay vigilant and keep your systems updated to mitigate potential risks.
There are currently no patches, but mitigation measures are available:
While patches are still in development, Red Hat shared mitigation measures requiring admins to stop the cups-browsed service from running and prevent it from being started on reboot using the following commands to break the exploit chain:
sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed
Red Hat users can also use the following command to find out if cups-browsed is running on their systems:
sudo systemctl status cups-browsed
If the result displays "Active: inactive (dead)," then the exploit chain is halted, and the system is not vulnerable. If the result shows "running" or "enabled," and the "BrowseRemoteProtocols" directive contains the value "cups" in the configuration file /etc/cups/cups-browsed.conf, then the system is vulnerable.
If you have any questions or would like to find out more, please contact Softcat Cyber Services: cyberservicesteam@softcat.com.