A new set of vulnerabilities were discovered in a common component of Linux systems.
Researcher Simone Margaritelli disclosed four vulnerabilities in the Common Unix Printing System (CUPS) that could allow for remote code execution.
Dating back to the days of Unix systems, CUPS functions as the common interface for linking computers with printers. It made its way into Unix and is now a common component in everything from servers to PCs.
“A remote unauthenticated attacker can silently replace existing printers’ (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer),” Margaritelli explained.
The four flaws were designated CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. While each describes a slightly different condition, the end result is the same: a remote attacker can manipulate printer commands to send arbitrary instructions to a targeted machine.
While it is commonly agreed that the vulnerability can allow for remote code execution, there is some debate as to the real-world severity of the flaws. The most severe were given a 9.9 CVSS rating.
Some experts believe that the rating was a bit heavy handed and, in real-world terms, the flaws were not all they were made out to be. Researchers with security company Ontinue noted that there are some qualifications for an attack to take place.
“In order to leverage this vulnerability, an attacker would need to access the vulnerable system from the local network, or access it from the internet through a promiscuous firewall ‘NAT’ rule,” said the Ontinue team.
“In turn the vulnerable system must be permitted to contact a device (controlled by the attacker) which hosts a malicious printer driver.”
Margaritelli also walked back the importance of the flaw, noting that ratings are not always a reflection of real-world danger.
“I’m not an expert, and I think that the initial 9.9 was mostly due to the fact that the RCE is trivial to exploit and the package presence so widespread,” the researcher said.
“Impact-wise, I wouldn’t classify it as a 9.9," said Margaritelli. "But then again, what the hell do I know?”
Ratings aside, Linux users and administrators would be well-advised to install the latest updates for all of their firmware and dependencies.
