Summary of the CUPS Vulnerability

Affected Software:

Several components of the CUPS printing system, specifically cups-browsed, libppd, libcupsfilters, and cups-filters, in versions up to 2.0.1.

Discovered By: Simone Margaritelli (@evilsocket)

Impact: Allows remote code execution on the affected system.

What’s the Problem?

This vulnerability stems from how the CUPS system discovers printers on a network. The issue lies in the cups-browsed component, which automatically adds printers by scanning the network. Unfortunately, it doesn’t verify whether the discovered printer is legitimate or not. This lack of verification allows an attacker to inject a malicious printer into the system, which can then execute arbitrary commands.

Here’s how it works:

1. Printer Discovery: The cups-browsed service looks for printers using two protocols—UDP (on port 631) and DNS-SD/mDNS. It can receive responses from untrusted sources, even outside the local network, if exposed to the internet.
2. No Security Checks: Once a printer is discovered, cups-browsed automatically contacts it and fetches its properties. These properties are saved to a temporary file without any validation or sanitization.
3. Malicious Printer Properties: An attacker can trick the system by setting specific printer properties, such as printer-privacy-policy-uri, to include malicious code. This unsanitized data is saved into the temporary printer configuration file.
4. Code Execution: When a print job is sent to the malicious printer, the system executes the attacker’s code. This can be as simple as running a shell command that creates a file or, in more severe cases, opens the door to full system compromise.

How an Attacker Can Exploit It

An attacker can take advantage of this vulnerability by either:

• Remote Attack: If the target system’s UDP port 631 is exposed to the internet, an attacker can remotely inject a malicious printer.
• Local Network Attack: If the attacker is on the same network as the victim, they can use mDNS to perform the attack.

Once the malicious printer is added to the system, any print job sent to it can trigger the execution of arbitrary commands.

Example Exploit Scenario

• The attacker sets up a fake printer on the network, configured to respond with malicious data.
• cups-browsed discovers the printer, automatically adds it, and saves its configuration without performing any checks.
• When the victim sends a print job, the attacker’s commands are executed on the target system, allowing them to take control.

Fixing the Vulnerability

To mitigate this issue:

1. Disable Unnecessary Printer Discovery: If you don’t need network printer discovery, consider disabling it by turning off cups-browsed or blocking port 631 on your firewall.
2. Apply Patches: The CUPS maintainers have been notified, and patches are likely to be released soon. Regularly check for updates and security patches from your distribution’s package manager.
3. Network Segmentation: Ensure that printers are on a separate, trusted network, and that port 631 is not exposed to the public internet.

Conclusion

This vulnerability in CUPS could allow an attacker to run arbitrary code on your system simply by adding a malicious printer. It highlights the importance of sanitising network input and controlling access to network services like printers. Keep an eye out for security updates, and consider adjusting your printer settings if you’re using CUPS in a vulnerable environment.