A new set of remote code execution (RCE) vulnerabilities affecting the Common Unix Printing System (CUPS) in Linux environments has been discovered.
These flaws, rated with a critical CVSS score of 9.9, allow attackers to execute arbitrary code on systems without requiring authentication.
The vulnerabilities, impacting all versions of Enterprise Linux, have been confirmed in Ubuntu Linux 24.04.1, and potentially affect any system running the cups-browsed component.
Security researchers identified the vulnerabilities in CUPS, which handles network printing on Linux and other Unix-based systems. The flaws exploit improper input validation when managing printer requests over the network, particularly through UDP port 631.
By sending a malicious print job from a device they control, attackers can trick the system into installing a compromised printer driver, allowing code execution with the privileges of the lP user.
Systems at Risk
The following systems are affected by this vulnerability:
- Linux servers and desktops running CUPS or cups-browsed
- NAS or VOIP servers that have CUPS installed by default
- Internet-of-Things (IoT) devices configured with CUPS printing services
Although the lP user is not a superuser, various researchers confirmed attackers could use this access to escalate their privileges and infiltrate other parts of the network.
This is a serious concern for enterprises and organizations relying on Linux systems for mission-critical operations.
The vulnerability is particularly concerning as it could be exploited in automated internet-wide scans. Once compromised, attackers could install remote access Trojans (RATs) to maintain control even after patches are applied.
Attack Vector and Exploit Potential
For an attacker to successfully exploit this vulnerability, they would need access to the target system's local network or bypass its firewall protections through a misconfigured firewall rule.
This is uncommon in properly secured environments but remains a significant threat to devices connected to unsecured public networks.
CVE-2024-47176, CVE-2024-47076 and other associated vulnerabilities allow attackers to craft UDP packets directed at the CUPS service, exploiting its inadequate validation of print attributes.
Organizations should take immediate action to assess the exposure of their systems and implement the recommended security measures to mitigate this critical risk.
Mitigation Strategies
To mitigate the risk, security professionals are urged to take the following steps:
- Patch immediately: Apply security updates for CUPS as soon as they are available
- Disable CUPS: If printing services are not required, disable CUPS entirely
- Restrict network access: Block UDP port 631 at the firewall level to prevent unauthorized access
- Update configuration: Add “BrowseDeny All” to the CUPS configuration file to prevent remote printer discovery