Critical printing system bugs affect hundreds of thousands of Linux machines


Linux systems running a printing system CUPS (Common Unix Printing System) are vulnerable to a critical exploit, enabling attackers to run remote code.

Security researcher Simone Margaritelli disclosed several unpatched vulnerabilities affecting Linux systems.

“A remote unauthenticated attacker can silently replace existing printers’ (or install new ones) IPP (Internet Printing Protocol) URLs with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer),” the researcher said in a report.

ADVERTISEMENT

Some initial assessments indicated a severity score of 9.9 out of 10. The NIST’s National Vulnerability Database assigned scores ranging from 8.6 to 9 out of 10.

Margaritelli warns that at least 200-300,000 unique Internet-facing systems could become targets. The CUPS components are widespread and vulnerabilities affect most GNU/Linux distributions and some other UNIX systems.

The researcher recommends disabling and removing the cups-browsed service (it is responsible for discovering new printers and automatically adding them to the system), and updating the CUPS package.

“In case your system can’t be updated and for some reason you rely on this service, block all traffic to UDP port 631 and possibly all DNS-SD traffic.”

The author also criticized the CUPS developers community for dismissing the issues and their severity, which led to public disclosure.

According to NIST, the four vulnerabilities in `cups-browsed` can be part of an exploit chain leading to remote code execution (RCE).

“This chain of exploits ultimately enables an attacker to execute arbitrary commands remotely on the target machine without authentication when a print job is started. This poses a significant security risk over the network. Notably, this vulnerability is particularly concerning as it can be exploited from the public internet, potentially exposing a vast number of systems to remote attacks if their CUPS services are enabled,” the vulnerability description reads.

ADVERTISEMENT