September 27, 2024Ravie LakshmananLinux / Vulnerability
A new set of security vulnerabilities has been disclosed in OpenPrinting Common Unix Printing System (CUPS) on Linux systems that could allow remote command execution under certain conditions.
“A remote, unauthenticated attacker can maliciously replace the IPP URL of an existing printer (or install a new one), so that when a print job (from that computer) is initiated, arbitrary commands could be executed (on the computer),” said security researcher Simone. Margaritelli said.
CUPS is a standards-based open source printing system for Linux and other Unix-like operating systems, including ArchLinux, Debian, Fedora, Red Hat Enterprise Linux (RHEL), ChromeOS, FreeBSD, NetBSD, OpenBSD, openSUSE, and SUSE Linux. . .
Here is the list of vulnerabilities:
CVE-2024-47176 – Cups-browsed <= 2.0.1 binds to UDP INADDR_ANY:631 and trusts packets from arbitrary sources to make Get-Printer-Attributes IPP requests to attacker-controlled URLs. Triggers CVE-2024-47076 - libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not validate or sanitize IPP attributes returned from an IPP server, providing attacker-controlled data to the rest of the CUPS system CVE -2024-47175 - libppd <= 2.1b1 ppdCreatePPDFromIPP2 does not validate or sanitize IPP attributes when writing them to a temporary PPD file, allowing attacker-controlled data to be inserted into the resulting PPD CVE-2024 -47177 - cup-filters <= 2.0.1 foomatic-rip allows execution of arbitrary commands via FoomaticRIPCommandLine PPD parameter
The net result of these shortcomings is that an attacker could create a malicious fake print device on a network-exposed Linux system running CUPS and trigger remote code execution when a print job is submitted. It is possible to form an exploit chain.
“The issue is due to improper handling of the ‘new printer is available’ announcement in the ‘cups-browsed’ component and inadequate validation by ‘cups’ of information provided by a malicious print resource. This occurs due to the following: ” said network security company Ontinue.
“This vulnerability is due to insufficient validation of network data that could allow an attacker to obtain a vulnerable system, install a malicious printer driver, send print jobs to the driver, and then insert malicious code. The malicious code runs with the privileges of the lp user, not the superuser ‘root’. ”
RHEL said in its advisory that all versions of the operating system are affected by the four flaws, but noted that default configurations are not vulnerable. The issue severity has been tagged as Important as the real-world impact is considered low.
“This chain of vulnerabilities could allow an attacker to remotely execute code, which could lead to theft of sensitive data or damage to critical production systems.” There is.
Cybersecurity firm Rapid7 noted that affected systems could be exploited from across the public Internet or network segments as long as UDP port 631 is accessible and the vulnerable service is listening.
Palo Alto Networks has stated that its products and cloud services are not affected by this flaw because they do not include the aforementioned CUPS-related software packages.
Patches for these vulnerabilities are currently in development and are expected to be released within the next few days. In the meantime, we recommend disabling and removing the cups-browsed service and blocking or restricting traffic to UDP port 631 if it is not needed.
WatchTowr CEO Benjamin Harris said in a statement shared with The Hacker News: “The embargoed Linux unauth RCE vulnerability, which has been touted as the end of Linux systems, only affects some systems. It seems like there is a possibility that it will be given.”
“Considering this, the vulnerability in terms of technical impact is significant, but it does not prevent desktop machines/workstations running CUPS from being exposed to the Internet in the same way or in the same number as typical server editions of Linux. The chances of it happening are much lower.”
Satnam Narang, senior staff research engineer at Tenable, said these vulnerabilities are not at the level of Log4Shell or Heartbleed.
“The reality is that there are countless vulnerabilities across a wide variety of software, whether open source or closed source, that have yet to be discovered and disclosed,” Narang said. “Security research is essential to this process, and we can and should demand better from our software vendors.”
“For organizations focused on these latest vulnerabilities, the most impactful and concerning flaws are known and continued to be exploited by nation-state-linked advanced persistent threat groups and ransomware affiliates. It’s important to emphasize that “vulnerabilities” are the ones that steal millions of dollars from businesses every year. ”
Did you find this article interesting? Follow us Twitter ○ You can read more exclusive content from us on LinkedIn.
Source link
