Today, a researcher reported a set of CUPS vulnerabilities that when triggered together, can lead to remote code execution (RCE). While the impact of this vulnerability is still being assessed, we’ll provide background into CUPS as well as guidance to reduce your exposure.
What is CUPS?
CUPS is the de facto standard for open source printing service. It’s used in many different operating systems and is packaged in many distributions. It’s been in use for over 25 years, and is still under active development and maintenance. The CUPS service is often used in production workloads, and can be exposed to the internet. Some Linux distributions run CUPS by default.
What are the vulnerabilities?
The researcher published a set of different vulnerabilities that, when combined together, can trigger arbitrary command execution. CVE-2024-47176 details that CUPS is accessible on UDP port 631 from any address. In isolation, simply blocking ingress traffic on port 631 would mitigate the risk.
This vulnerability can be chained with three other CUPS vulnerabilities, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177. This essentially allows an attacker to spoof a printer, register it, run a command, and trigger a remote code execution (RCE). However, a slightly different method of attack can still be triggered through zeroconf / mDNS / DNS-SD over a local network, even when UDP port 631 is blocked.
Exploits are already circulating for these vulnerabilities and we can assume that attackers will be scanning systems to take advantage.
There is a lot of hype about this vulnerability because the researcher who had found it went public with what they felt was a lacking process for resolving it. The disclosure date was set for Oct 6, but hints of the vulnerabilities appeared in the public CUPS GitHub repository, which was picked up and eventually got the vulnerabilities to leak before a proper patch was released.
It’s worth noting that this is not the first time a vulnerability was disclosed in this fashion. Spectre and Meltdown were leaked in a similar way: through some information that was picked up from Linux development activity that was being carried out to circumvent the vulnerabilities.
What’s the impact?
The impact is not yet well understood, but one article citing the researcher who disclosed these vulnerabilities claims as many as 300,000 devices could be exposed. Other research firms claim to have observed some IoT devices that may be vulnerable. Other exposed devices could be desktops, many of which are likely to be personal computers, although some enterprises do use Linux on desktops.
What are my options to reduce exposure?
As of this writing, patches are not yet available for these CUPS vulnerabilities. However, there are steps that can be taken now to reduce exposure in advance of patching:
- Block UDP port 631
- Monitor and block any external UDP service if you’re not using it - especially zeroconf / mDNS / DNS-SD if possible
- Disable CUPS service until a patch is released
We will continue to monitor and update here as more information is available. We are working with Dazz customers to quickly mitigate and fix the vulnerability, just like any other vulnerability they find. Whether you’re a customer or not, you can contact us here for any guidance: https://www.dazz.io/remediation-center