News: 1727372041

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

That doomsday critical Linux bug: It's CUPS. Could lead to remote hijacking of devices

(2024/09/26)


Updated After days of waiting and anticipation, what was billed as one or more critical unauthenticated remote-code execution vulnerabilities in all Linux systems was today finally revealed.

In short, if you're running the Unix printing system CUPS, including cups-browsed, then you may be vulnerable to attacks that could lead to your computer being commandeered over the network or internet.

The bugs were found and disclosed by software developer [1]Simone Margaritelli who has now openly disclosed the issue in detail [2]here .

[3]

What you need to know for now, according to Margaritelli, is:

Disable and/or remove the cups-browsed service.

Update your CUPS installation to bring in security updates when available.

Block access to UDP port 631 and consider blocking off DNS-SD, too.

It affects "most" Linux distros, "some" BSDs, possibly Google ChromeOS, Oracle's Solaris, and potentially others, as CUPS is pretty widely included in distributions.

To exploit this across the internet or LAN, a miscreant just needs to reach your CUPS service on UDP port 631. Hopefully none of you have that facing the public internet anyway.

If port 631 isn't available, an attacker may be able to spoof zeroconf, mDNS, or DNS-SD advertisements to achieve exploitation. Details of that path will be disclosed later. In fact, more details are promised.

If you don't have CUPS and/or cups-browsed on your system, you're good. If you were already firewalling off CUPS, you're most likely good.

How would a vulnerable system be hijacked? "A remote unauthenticated attacker can silently replace existing printers’ (or install new ones) IPP URLs with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer)," says Margaritelli.

[4]

[5]

Take all that info and decide for yourself how at-risk you are, and what steps to take. Margaritelli reckons there are hundreds of thousands of at-risk devices on the public internet.

He previously complained in a social media [6]thread that his bug reports weren't being taken serious enough, and decided to go fully public after feeling that he was hitting resistance from fellow developers.

[7]

He said the issues he found merited a CVSS severity score of 9.9 out of 10, and said Ubuntu-maker Canonical and IBM's Red Hat had agreed with him on that point. We're awaiting confirmation from both orgs.

"A vulnerability with a 9.9 CVSS indicates a low complexity to exploit and signs are pointing to the flaw existing at the core of the system," Sonatype CTO Brian Fox told The Register prior to today's disclosure.

"Considering this is Linux, the scope of this vulnerability is massive and successful exploitation could be devastating — everything from your Wi-Fi router to the grid keeping the lights on runs on Linux."

[8]

This is now a breaking news story. It was last revised at 2050 UTC following disclosure of the bugs. We will continue to update it as needed. Check back soon.

Get our [9]Tech Resources



[1] https://github.com/evilsocket

[2] https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZvXZgneLwcA8-e6-TE-U9wAAAEw&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZvXZgneLwcA8-e6-TE-U9wAAAEw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZvXZgneLwcA8-e6-TE-U9wAAAEw&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[6] https://threadreaderapp.com/thread/1838169889330135132.html

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZvXZgneLwcA8-e6-TE-U9wAAAEw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZvXZgneLwcA8-e6-TE-U9wAAAEw&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[9] https://whitepapers.theregister.com/



this better be in the kernel

Nate Amsden

I saw someone post in another forum speculating that the issue was with CUPS. Since I saw this last night I'm assuming it's somehow a kernel network exploit. If it's anything but that, really this will end up being another super over hyped thing.

Saying "every linux system in the past decade", the only thing those have in common is the various kernels. Obviously not an SSH or Apache, or whatever service exploit. If it does end up being with CUPS then that will be one of the biggest security jokes of the past decade, as only a fraction of 1% of linux systems run CUPS.

so, like others, I await the truth to be revealed. Assuming it is a kernel network thing I have to wonder if such an exploit is mitigated by means of passing the traffic through another device such as a firewall, especially if that firewall is running a kernel that is NOT linux.

I do recall I think in the late 90s there being one or two or more kernel bugs similar to Windows' "ping of death" though it wasn't a RCE, just a system crash...though maybe am remembering wrong.

Re: this better be in the kernel

DS999

Assuming it is a kernel network thing I have to wonder if such an exploit is mitigated by means of passing the traffic through another device such as a firewall

That's fine for corporate systems, but some sort of network based remote p0wn of Linux that didn't depend on an open port (i.e. OpenSSH/CUPS whatever type exploit) would be a major disaster for home users everywhere. Just about every one of us has some sort of Linux based device that connects their home network to their cable/fiber/whatever provider. If all I need is an IPv4 address to send some sort of magic packet(s) to that p0wns your device, I'm inside your network and other exploits would allow leveraging that for almost anything.

The only way I could imagine a 9.9 would be if this is what it is - a network packet that can p0wn any reachable Linux system even with no ports open and full firewall enabled. But I suspect it is less, and everyone is going to laugh at this single alarmist source who claims a 9.9 if it is something stupid like a CUPS exploit.

The worst thing about such a Linux based attack that allowed p0wn everyone's cable modem and wireless router is that the large majority of that equipment is no longer getting updates, so this would be a "gift that keeps on giving" for years and years.

EDIT: oh and I see below it is CUPS. This is a nothingburger, I hope everyone in the network security business remembers this guy's name and puts him on the "never hire" list, because he's a complete moron getting everyone worked up about something that wouldn't rate a single mention on sites like the Register if it wasn't for this Chicken Little fool.

Re: this better be in the kernel

cyberdemon

As mentioned below by @jailbird, it could be a serious vulnerability reported at the same time and by the same person as a 'nothingburger', which if true, would be pretty rotten of him

But I hope you are right, in which case I fully agree with your sentiment

Re: this better be in the kernel

doublelayer

There are a few services that I would accept as included in "every linux system in the past decade" even if they're not the kernel. It wouldn't be literally every system, but if it was something that ran on most of them, I'd still accept it. In that list I might include SSH, iptables (related services rather than the binary that iptables typically refers to), Systemd, or the very common core libraries. If, for example, someone managed to get a bug into glibc which somehow attached to any network stream established by a program that used glibc, then that would be pretty bad even though there are some Linux systems that don't use it. To qualify as every one in the last decade, though, it couldn't have been a recent regression.

CUPS is not in that list.

Re: this better be in the kernel

Blazde

CUPS was one of the true delights of Capture The Flag games 20 years ago. Great to see it's still delivering.

Maybe time for a rewrite in Rust.

-> Troll face for obvious reasons. I am only half-joking but this seems like logic errors & lack of input sanitisation which Rust wouldn't help much with

Its confirmed to be cups-browsed

Creslin

The original tweeter `evilsocket` and the repo maintainer are openly discussing it here on github

https://github.com/OpenPrinting/cups-browsed/issues/36

workaround (for now)

systemctl stop cups-browsed

systemctl disable cups-browsed

Re: Its confirmed to be cups-browsed

Alan J. Wylie

If it is cups-browsed, then I've got nothing to worry about. It's [N]ot installed. And no server I've ever managed has had it (or cups) installed either. "all GNU/Linux systems (plus others)"? Hardly.

[I] net-print/cups (2.4.7-r2@06/02/24): The Common Unix Printing System

[N] net-print/cups-bjnp (2.0.3-r1): CUPS backend for canon printers using proprietary USB over IP BJNP protocol

[N] net-print/cups-browsed (2.0.0): helper daemon to browse for remote CUPS queues and IPP network printers

[I] net-print/cups-filters (2.0.0-r1@04/06/24): Cups filters

Re: Its confirmed to be cups-browsed

jailbird

I wonder if this is a separate issue. The cups bug says it is a DoS, while the Tweet for this 9.9 says it's a RCE.

Re: Its confirmed to be cups-browsed

GBE

I wonder if this is a separate issue. The cups bug says it is a DoS, while the Tweet for this 9.9 says it's a RCE.

Exactly.

And in the scope of "things that run Linux", the ones running cups-browsed comprise approximately 0%.

A DoS attack on cups-browsed doesn't sound anything at all like what the original tweet is describing.

Re: Its confirmed to be cups-browsed

Creslin

Pretty sure its cups-browsed - if read the git thread `evilsocket` is annoyed at the git maintainer as some of his recent patches are fixing the main, not ddos, issue.

Here is the commit with part fix to the RCE, checking attribute types are correct.

https://github.com/OpenPrinting/cups/commit/96b3bdf010e78880f5764e5032720379aa1116df

Report to full disclosure in three weeks??

cyberdemon

WTF? Even if it could be fixed immediately, we need time to patch it.

What, other than massaging a wannabe supervillain ego and causing global panic, could be his reason for going full disclosure so early?

Icon: I'm sure he'll be listening out for this for the next few hours at least

EDIT: OK, if it's 'just' CUPS-browsed as alluded to above, then he's just overhyping it. Hardly "Every Linux system" as claimed (which would suggest that my router/firewall is probably vulnerable too)

Re: Report to full disclosure in three weeks??

Anonymous Coward

You would be amazed at how many home/soho routers have a print server on them so you can share your USB printer on the network....

Re: Report to full disclosure in three weeks??

cyberdemon

Yes although -one would hope- the print server ports are not exposed to the 'WAN' interface.

Re: Report to full disclosure in three weeks??

Steven Raith

(AC from above)

Hope indeed.....

WTF is a WiFi router?

markrand

I have a router. I have a (Cisco) Wireless LAN Controller. I have WiFi access points. What is a WiFi router, other than a made up thing?

Re: WTF is a WiFi router?

cyberdemon

It's a consumer-level device, very popular among the proletariat, which combines these functions into the one device, m'lud.

Re: WTF is a WiFi router?

David 132

Oh, to facilitate them in listening to their "popular beat combos"?

Re: WTF is a WiFi router?

Scott 26

I read that in Paul Merton's voice talking to Ian Hislop

I hope that was the intention!

Re: WTF is a WiFi router?

GBE

It's a combination of a router/firewall and a WAP. They're very, very common in residential installations.

And lots of them run Linux.

williamyf

1.) CUPS started in 1999, and yet, not enough eyes.

2.) If this was in windows, we would be asking: What kind of security model allows a userpace program to grant RCE into the sysytem as root? And yet, here we are...

cyberdemon

Have you seen the Windows networked-printer driver model? It's roughly as follows:

"Hi, do you have any printers?" > "Yes, here's a list." > "Hmm, I don't seem to have a driver for that one" > "No problem, here's a driver, load it into your kernel" > "Okay"

Nate Amsden

https://www.theverge.com/2021/7/2/22560435/microsoft-printnightmare-windows-print-spooler-service-vulnerability-exploit-0-day

(note: from 2021)

"Microsoft is warning Windows users about an unpatched critical flaw in the Windows Print Spooler service. The vulnerability, dubbed PrintNightmare, was uncovered earlier this week after security researchers accidentally published a proof-of-concept (PoC) exploit. While Microsoft hasn’t rated the vulnerability, it allows attackers to remotely execute code with system-level privileges, which is as critical and problematic as you can get in Windows."

this CUPS thing is a joke. Here I was worried about things like network switches, storage arrays, firewalls, web servers. My local linux laptop runs cups (though I have no printers), I manage roughly 800 other linux systems at work and not one of them has ever had CUPS installed.

Anonymous Coward

Aye, same boat here - nowt in 'my estate' (some 200 boxes) has CUPS on it.

But it's getting enough press that customers might ask, so it's worth having a read through the blog to get the details.

It's quite an interesting little exploit chain, even if it's not quite as widespread as the dev thinks (possibly overestimating how many systems have CUPS installed - basically all desktops out of the box, but not many servers unless you explicitly choose it/set it up - although cheap routers with USB sharing might be at risk, especially if they have a shitty uPnP implementation...).

It's out there enough in the press that I've scrawled up a quick response to any clients who ask about it, and to advise our desktop linux users to triple check their firewalls are set up in such a way as to effectively defeat any exploits that come out, till it gets patched.

Better safe than sorry, especially as some of them are out and about a bit on public networks etc....

Judging...

Anonymous Coward

If it is truly that serious, and he's getting that much push back from the developer, it must be systemd. But thankfully that doesn't affect every single Linux device, just most of them. The sane systems don't use it.

Re: Judging...

GBE

If it is truly that serious, and he's getting that much push back from the developer, it must be systemd. But thankfully that doesn't affect every single Linux device, just most of them.

Nope, most Linux systems don't use systemd. Remeber: most Linux systems are phones. And they don't use systemd.

Alan J. Wylie

This on [1]twitter at 19:00 UTC. CUPS is one of Openprinting's projects.

Simone Margaritelli @evilsocket

Mark this. 1 hour to go.

[2]https://openprinting.github.io/codeofconduct/

[1] https://twitter.com/search?q=evilsocket

[2] https://openprinting.github.io/codeofconduct/

cyberdemon

Good. So the so-called "doomsday" vulnerability is hopefully just print-server related

In an hour, he'll learn the price of trolling the whole tech sector

Anonymous Coward

Best add Canonical and Red Hat to that list - they're the ones who rated it a 9.9, not the researcher. They're unlikely to apply that to something of such comparatively limited scope.

Suppose we'll find out in

*checks watch*

Five minutes.

As a reminder, Heartbleed was a 7.5...

TrevorH

The issue linked is to one that is public because it appears to be less severe. It mentions other fixes to libcupsfilters and libppd which are not public so are presumably more severe. I am dubious whether these will end up being as severe as the hype makes out.

cyberdemon

I suppose we'll find out in 18 minutes.

I do wish El Reg would update the article to add the CUPS link though, as it seems a bit sensational without it, but I suppose we were all too lazy to ping their corrections@ inbox

Full disclosure has been released - its cups-browsed, link in body.

Creslin

https://gist.github.com/stong/c8847ef27910ae344a7b5408d9840ee1 << disclosure

Released early as the whole world figured out it was cups-browsed.

edit: CVEs

CVE-2024-47176 | cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker controlled URL.

CVE-2024-47076 | libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker controlled data to the rest of the CUPS system.

CVE-2024-47175 | libppd <= 2.1b1 ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker controlled data in the resulting PPD.

CVE-2024-47177 | cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter.

My personal take is whilst thankful for the find, the OP `evilsocket` laid so many breadcrumbs describing the vector and cloning cups-browsed to his repo finding recent commits to cups-browsed became trivial.

https://github.com/OpenPrinting/cups/commit/96b3bdf010e78880f5764e5032720379aa1116dfts

TLDR; browsed lack of sanitizing attributes in IPP - as addressed in the commit above.

```

printer-privacy-policy-uri = [https://www.google.com/"\n*FoomaticRIPComman…|https://www.google.com/%22%5Cn*FoomaticRIPCommandLine]: "echo 1 > /tmp/PWNED"\n*cupsFilter2 : "application/pdf application/vnd.cups-postscript 0 foomatic-rip

```

Re: Full disclosure has been released - its cups-browsed, link in body.

Creslin

OP writeup

https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

Re: Full disclosure has been released - its cups-browsed, link in body.

Mage

So can't be a doomsday 9.9

Meh.

Unless Drive by 3rd party evil js via browser can work it? If so another reason to by default block all 3rd scripts, Though CloudFlare thinks you are a bot when you do that. Idiots.

Re: Full disclosure has been released - its cups-browsed, link in body.

sten2012

It's a remote code execution with no authentication. Definitely a 9.9

CVSS base score doesn't care how widespread software is.

Heartbleed was serious and widespread but an information disclosure that in and of itself doesn't offer RCE.

A lot of people here are confused about the scope and utilisation of CVSS base scores.

But yes. There was much hype. Over a serious but not completely ubiquitous issue

Is that all?

GBE

There people who enable cups-browsed?

I've never seen it running on any Linux machine I've used during the past 30-odd years.

That's got to be a tiny, tiny percentage of Linux systems. Hardly "affects all Linux systems and distros" as originally claimed.

Re: Is that all?

diodesign

FWIW I'm using Debian 12.7 right now (desktop Linux FTW) and I not only had cups-browsed installed, I just removed it.

C.

Re: Is that all?

cyberdemon

The OP (evilsocket) claims to have seen 300k linux systems with open CUPS ports on the Internet using shodan.io. But how many are real and how many are honeypots, who knows

Re: Is that all?

BinkyTheMagicPaperclip

300K is not a lot in terms of the Internet. Yes, it's a lot of systems, yes it's a problem, but it's a drop in the ocean compared with all Linux systems or the majority of Unix systems.

At least the author has the grace to question the 9.9 rating. 9.9 as it's easily exploited, but only if you're running a service many Unix systems aren't.

Having said that, if you're printing, you're probably using CUPS. I've tried looking at non CUPS solutions for printing and painful doesn't even begin to describe the documentation and moving parts.

Re: Is that all?

GBE

Having said that, if you're printing, you're probably using CUPS.

Yes, but you don't need to have cups-browsed running to use CUPS. I've been using CUPS for decades and have never enabled cups-browsed.

Sheesh. Kids these days and their silly auto-magical auto-discovery stuff!

Re: Is that all?

breakfast

I'd be very surprised if there were within an order of magnitude of 300k honeypots.

Re: Is that all?

FlippingGerman

My mini-pc home server running Ubuntu had it installed and running. My Raspberry Pis appear not to.

You can't get hacked if you don't have it.

Anonymous Coward

Rocky 8 Desktop default.

cups-browsed.service - Make remote CUPS printers available locally

Loaded: loaded (/usr/lib/systemd/system/cups-browsed.service; disabled; vendor preset: disabled)

Rocky 9 Server not installed by default.

*YAWN*

Anonymous Coward

$ systemctl status cups-browsed

● cups-browsed.service - Make remote CUPS printers available locally

Loaded: loaded (/usr/lib/systemd/system/cups-browsed.service; disabled; vendor preset: disabled)

Active: inactive (dead)

Mountains, molehills ....

jake

... and storms in tea CUPS.

Gotta love Chicken Little syndrome. Selling column-inches since the advent of the red-top.

There is a time in the tides of men,
Which, taken at its flood, leads on to success.
On the other hand, don't count on it.
-- T. K. Lawson