A chain of vulnerabilities in the Common UNIX Printing System(CUPS) was recently discovered by security researcher Simone Margaritelli, allowing attackers to execute code remotely on vulnerable machines provided certain conditions are met.
CUPS is the most widely used printing system on Linux and other UNIX-like operating systems. It has a myriad of components that work together to make it function. One such component is the cups-browsed daemon which is responsible for discovering and automatically adding new printers to the system. Margaritelli found that this daemon, which listens for UDP packets from printers on the network, is entirely indiscriminate in its acceptance of packets from any device on the network, meaning that any device on the network can create a new printer on the machine.
Achieving RCE
In order to achieve RCE on the target machine, an attacker must create a malicious PostScript Printer Description(PPD) and manually advertise it to the target’s cups-browsed service running on UDP port 631. This exploits the service’s policy of indiscriminate acceptance of packets to install a malicious printer and make it available as an option for printing to system users.
The malicious PPD will utilise a foomatic-rip filter to execute the malicious commands when a print job is created.
PostScript Printer Description(PPD): File used to communicate the features and functions of a specific printer to the operating system. These files can contain PostScript commands to enable the system to communicate effectively with the printer.
Foomatic-rip filter: Executes commands on a device to ensure that a printing job is rendered correctly.
Now, here’s the tricky part. A user on the now exposed system must try to print to the newly added malicious printer for the attack to move forward. If they do so, the malicious command in the PPD will trigger and execute locally on the computer.
Impact
Red Hat has rated the flaws as having an “Important” severity impact instead of critical. This is an unconventional rating.
Red Hat: Popular linux distribution
The reason for such a rating being given to this series of flaws is that although they form an RCE chain which under normal circumstances would be given a critical severity rating, there are many obstacles to be overcome before actually achieving remote code execution.
First of all, the target needs to have the cups-browsed daemon enabled, which is not the case by default in most systems. If this condition is satisfied, there is still the issue of the user having to be tricked into using a newly introduced malicious printer for a print job.
The need for the above conditions to be satisfied makes this RCE chain a high impact but highly mitigable series of flaws, justifying the rating given to it by Red Hat, in my opinion at least.
Mitigations
One can check whether they are vulnerable to being attacked using this method by running the following command from their terminal:
sudo systemctl status cups-browsedIf the result displays “Active: inactive (dead),” then the exploit chain is halted, and the system is not vulnerable.
However, If the result shows “running” or “enabled,” and the “BrowseRemoteProtocols” directive contains the value “cups” in the configuration file /etc/cups/cups-browsed.conf, then the system is vulnerable.
If vulnerable, run the following commands to stop the cups-browsed service from running and prevent it from being started on reboot:
sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsedCheck again after running these commands to ensure that your system is no longer vulnerable.
Patches are in development in the meantime.