OpenPrinting News Flash - cups-browsed Remote Code Execution vulnerability

Update: Legacy CUPS browsing now removed in cups-browsed 2.x and 1.x, report about DoS vulnerability of legacy CUPS browsing in cups-browsed, blog/podcast/video coverage

What happened?

On September 5 we got a GitHub security advisory (GHSA) on cups-browsed about a remote code execution. It is possible to create an emulation of an IPP printer with forged metadata to make cups-browsed auto-generate a print queue and the PPD generator of libcups or libppd create a PPD with added lines so that the foomatic-rip filter gets used and the PPD defines a filter command line for foomatic-rip which is supplied by the attacker. So we have a remote code execution (RCE) vulnerability.

The reporter, Simone Margaritelli (aka evilsocket), started investigating when he discovered that cups-browsed accepts UDP packets on port 631 from any source to trigger a get-printer-attributes IPP request. He then found further bugs leading up to the remote code execution.

He posted on X (formerly Twitter) on September 23 that he recently reported a severe security issue, an “Unauthorized RCE on all GNU/Linux systems) with a CVSSv3 score (agreed on with Canonical and Red Hat) of 9.9 of 10, but not telling anything about that it was his report about cups-browsed. He also told in the post that he has spent 3 weeks on the investigations, and that a disclosure date was agreed on with the developers. The message got hidden shortly after, but one can still read it on some archiving sites.

Seth Arnold of Canonical’s security team made me aware of this X message on Tuesday, September 24 and this started continues conversation of me with the security team on the Canonical-internal chat, along with already ongoing conversation on GitHub and VINCE. On Thursday, September 26 I read on VINCE that the vulnerability has leaked and so we had to agree on a quick disclosure. Instead of on the originally planned disclosure on October 6 we agreed to disclose still on September 26, at 20:00 UTC.

Canonical’s security team has acted immediately to quickly apply the patches which Michael Sweet (author and maintainer of CUPS) had already prepared for CUPS, cups-browsed, libcups-filters, libppd, and cups-filters (in the time from the first report until then I was some days off and I was also on the Open Source Summit Europe, thanks, Michael Sweet, for stepping in, also thanks to Zdenek Dohnal from Red Hat) to the appropriate in all supported Ubuntu versions, so that at the time of disclosure most fixes were already in place. They also reported in an Ubuntu blog. They tell users what to do, from turning off cups-browsed or at least its legacy CUPS browsing support to updating their systems as the fixes were already available. Thanks a lot to Seth Arnold, Marc Deslauriers, Diogo Sousa, Mark Esler, Luci Stanescu, and more.

At the time of disclosure there appeared tons of posts on Mastodon about this subject matter and I have given several answers.

A good and detailed description of the vulnerability comes from Simone himself in his blog. Thanks to Simone Margaritelli for the detailed investigation and also the detailed description about how the vulnerability works. Investigators of this kind are really needed to keep free software on a high security level. This vulnerability could never have been found by automated methods like fuzzing or code analysis.

Some days later, Peter van Dijk (aka Habbie, also thanks for your report) has reported another vulnerability of the legacy CUPS browsing support as a GHSA on cups-filters. It was possible to send a well-formed CUPS broadcast packet to UDP port 631 of cups-browsed, but with a port 80 URL of a web site which redirects on the port and then cups-browsed falls into an infinite loop sending HTTP requests which can only be stopped by kill -9. This vulnerability got independently discovered and treated in detail by Akamai and posted in their blog.

Overhyped

The X post by Simone really overhyped the vulnerability. Attacks from the internet are not very probable due to the fact that servers on the internet do not have cups-browsed and CUPS installed and CUPS/cups-browsed setups are there usually only in NAT-protected local networks with desktop machines and print servers. And the remote code execution is also rather restricted, as CUPS filters are not running as root, but as the system user “lp” which cannot even read user’s home directories. In addition, the remote code execution only happens when a user actually prints a job on the fake printer. Actually assigned scores ended up between 8.4 and 9.1.

The bugs and fixes are the following

• CVE-2024-47176: cups-browsed binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a get-printer-attributes IPP request to an attacker-controlled URL (GHSA)
  • Preliminary fix cups-browsed: Turn off CUPS browsing in configuration file
  • Preliminary fix cups-filters 1.x: Turn off CUPS browsing in configuration file
  • Final fix cups-browsed: Remove CUPS browsing and LDAP support
  • Final fix cups-filters 1.x: Remove CUPS browsing and LDAP support
• CVE-2024-47076: cfGetPrinterAttributes5() (libcupsfilters 2.x) and get_printer_attributes5() (cups-filters 1.x) does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker-controlled data to the rest of the CUPS system (GHSA)
  • Fix libcupsfilters 2.x
  • Fix cups-filters 1.x
• CVE-2024-47175: In libppd ppdCreatePPDFromIPP2() does not validate or sanitize the IPP attributes when writing them to the PPD file, allowing the injection of attacker-controlled data into the resulting PPD (GHSA)
  • Fix libppd
  • Fix CUPS: Validate IPP attributes in PPD generator
  • Fix CUPS: Refactor make-and-model code
  • Fix CUPS: PPDize preset and template names
  • Fix CUPS: Quote PPD localized strings
  • Fix CUPS: Fix warnings for unused variables

• CVE-2024-47177: cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter (GHSA, Issue)

• CVE-2024-47850: cups-browsed (before 2.5b1?) will send an HTTP POST request to an arbitrary destination and port in response to a single IPP UDP packet requesting a printer to be added. The request is meant to probe the new printer but can be used to create DDoS amplification attacks (on non-printer devices). This is a different vulnerability than CVE-2024-47176 mentioned above but the remedy is the same, turning off or removing legacy CUPS browsing support in cups-browsed (GHSA)
  • Preliminary fix cups-browsed: Turn off CUPS browsing in configuration file
  • Preliminary fix cups-filters 1.x: Turn off CUPS browsing in configuration file
  • Final fix cups-browsed: Remove CUPS browsing and LDAP support
  • Final fix cups-filters 1.x: Remove CUPS browsing and LDAP support

The already available fixes are sufficient to prevent both exploits.

What we still will fix/improve

• cups-filters: Create hash tables for each package with Foomatic PPD files, with a hash for each command line prototype string or strings to be inserted into the prototype depending on option settings. When printing a job, foomatic-rip generates the hash of each string and checks against the table. Issues an error in log file if hash not found, telling user they would need to create hash table for their PPD. For official packages hash tables are generated during build and included in the package. This fix is still discussed.

What should you do to get protected?

• Update your system, especially take care that the packages cups, libcups, cups-browsed, libcupsfilters, libppd, and cups-filters packages get updated. Most Linux distributions should already have fixed packages available.
• Restart cups-browsed after the update

In addition, especially if you did not yet get updates for your distro, do:

• Turn off CUPS browsing in cups-browsed.conf:
  • Edit /etc/cups/cups-browsed.conf
  • Search for the BrowseRemoteProtocols configuration option
  • Set the option to dnssd or to none (the default value is dnssd cups)
  • Restart cups-browsed

Coverage

• Simone Margaritelli’s blog describing the RCE vulnerability in detail
• Ubuntu blog from Canonical’s security team, published on the day of discolsure
• Brodie Robertson on YouTube about the overhyped security advisory
• ThePrimeTime live session about Simone’s blog
• Ubuntu Security Podcast #238
• Akamai blog about DDoS vulnerability of cups-browsed

Contact us

Stay updated on Mastodon: #OpenPrinting and @till@ubuntu.social.

Or discuss on our mailing lists:

• Development: printing-architecture AT lists DOT linux DOT dev (Archive)
• Users: printing-users AT lists DOT linux DOT dev (Archive)

Subscribing/Unsubscribing instructions

Or on the Telegram OpenPrinting chat