OpenPrinting News Flash - cups-browsed Remote Code Execution vulnerability

What happened?

On September 5 we got a GitHub security advisory (GHSA) on cups-browsed about a remote code execution. It is possible to create an emulation of an IPP printer with forged metadata to make cups-browsed auto-generate a print queue and the PPD generator of libcups or libppd create a PPD with added lines so that the foomatic-rip filter gets used and the PPD defines a filter command line for foomatic-rip which is supplied by the attacker.

The reporter, Simone Margaritelli (aka evilsocket), started investigating when he discovered that cups-browsed accepts UDP packets on port 631 from any source to trigger a get-printer-attributes IPP request. He then found further bugs leading up to the remote code execution.

He posted on X (formerly Twitter) on September 23 that he recently reported a severe security issue, an “Unauthorized RCE on all GNU/Linux systems) with a CVSSv3 score (agreed on with Canonical and Red Hat) of 9.9 of 10, but not telling anything about that it was his report about cups-browsed. He also told in the post that he has spent 3 weeks on the investigations, and that a disclosure date was agreed on with the devlopers. The message got hidden shortly after, but one can still read it on some archiving sites.

Seth Arnold of Canonical’s security team made me aware of this X message on Tuesday, September 24 and this started continues conversation of me with the security team on the Canonical-internal chat, along with already ongoing conversation on GitHub and VINCE. On Thursday, September 26 I read on VINCE that the vulnerability has leaked and so we had to agree on a quick disclosure. Instead of on the originally planned disclosure on October 6 we agreed to disclose still on September 26, at 20:00 UTC.

Canonical’s security team has acted immediately to quickly apply the patches which Michael Sweet (author and maintainer of CUPS) had already prepared for CUPS, cups-browsed, libcups-filters, libppd, and cups-filters (in the time from the first report until then I was some days off and I was also on the Open Source Summit Europe, thanks, Michael Sweet, for stepping in, also thanks to Zdenek Dohnal from Red Hat) to the appropriate in all supported Ubuntu versions, so that at the time of disclosure most fixes were already in place. They also reported in an Ubuntu blog. They tell users what to do, from turning off cups-browsed or at least its legacy CUPS browsing support to updating their systems as the fixes were already available. Thanks a lot to Seth Arnold, Marc Deslauriers, Diogo Sousa, Mark Esler, Luci Stanescu, and more.

At the time of disclosure there appeared tons of posts on Mastodon about this subject matter and I have given several answers.

A good and detailed description of the vulnerability comes from Simone himself in his blog. Thanks to Simone Margaritelli for the detailed investigation and also the detailed description about how the vulnerability works. Investigators of this kind are really needed to keep free software on a high security level. This vulnerability could never have been found by automated methods like fuzzing or code analysis.

Overhyped

The X post really overhyped the vulnerability. Attacks from the internet are not very probable due to the fact that servers on the internet do not have cups-browsed and CUPS installed and CUPS/cups-browsed setups are there usually only in NAT-protected local networks with desktop machines and print servers. And the remote code execution is also rather restricted, as CUPS filters are not running as root, but as the system user “lp” which cannot even read user’s home directories. In addition, the remote code execution only happens when a user actually prints a job on the fake printer. Actually assigned scores ended up between 8.4 and 9.1.

The bugs are the following

• CVE-2024-47176: cups-browsed binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a get-printer-attributes IPP request to an attacker-controlled URL (GHSA)
  • Preliminary Fix cups-browsed
  • Preliminary Fix cups-filters 1.x
• CVE-2024-47076: cfGetPrinterAttributes5() (libcupsfilters 2.x) and get_printer_attributes5() (cups-filters 1.x) does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker-controlled data to the rest of the CUPS system (GHSA)
  • Fix libcupsfilters 2.x
  • Fix cups-filters 1.x
• CVE-2024-47175: In libppd ppdCreatePPDFromIPP2() does not validate or sanitize the IPP attributes when writing them to the PPD file, allowing the injection of attacker-controlled data into the resulting PPD (GHSA)
  • Fix libppd
  • Fix CUPS Validate IPP attributes in PPD generator
  • Fix CUPS Refactor make-and-model code
  • Fix CUPS PPDize preset and template names
  • Fix CUPS Quote PPD localized strings
  • Fix CUPS Fix warnings for unused vars
• CVE-2024-47177: cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter (GHSA)

The already available fixes are sufficient to prevent the exploit.

What we still will fix/improve

• cups-browsed: Remove legacy CUPS browsing and LDAP support altogether
• cups-filters: Create hash tables for each package with Foomatic PPD files, with a hash for each command line prototype string or strings to be inserted into the prototype depending on option settings. When printing a job, foomatic-rip generates the hash of each string and checks against the table. Issues an error in log file if hash not found, telling user they would need to create hash table for their PPD. For official packages hash tables are generated during build and included in the package.

What should you do to get protected?

• Update your system, especially take care that the packages cups, libcups, cups-browsed, libcupsfilters, libppd, and cups-filters packages get updated. Most Linux distributions should already have fixed packages available.
• Restart cups-browsed after the update

In addition, especially if you did not yet get updates for your distro, do:

• Turn off CUPS browsing in cups-browsed.conf:
  • Edit /etc/cups/cups-browsed.conf
  • Search for the BrowseRemoteProtocols configuration option
  • Set the option to dnssd or to none (the default value is dnssd cups)
  • Restart cups-browsed

Contact us

Stay updated on Mastodon: #OpenPrinting and @till@ubuntu.social.

Or discuss on our mailing lists:

• Development: printing-architecture AT lists DOT linux DOT dev (Archive)
• Users: printing-users AT lists DOT linux DOT dev (Archive)

Subscribing/Unsubscribing instructions

Or on the Telegram OpenPrinting chat