noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

Technology

SonicWALL Inc.

10/04/2024 | Press release | Distributed by Public on 10/05/2024 02:14

Linux CUPS Printing Systems Multiple Vulnerabilities

Overview

The SonicWall Capture Labs threat research team became aware of multiple bugs leading to remote code execution in a CUPS-browsed system, assessed its impact, and developed mitigation measures. CUPS (Common Unix Printing System) is an open-source standard printing system for many Unix-like operating systems, such as GNU/Linux distributions and macOS. Despite being included, CUPS is not always enabled by default on some systems, such as Red Hat. Upon activation, it allows a computer to function as a print server, managing print jobs and queues and supporting network printing through the Internet Printing Protocol (IPP).

Identified as CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, & CVE-2024-47177, CUPS-browsed versions before 2.0.1 allow an unauthenticated threat actor to achieve unauthenticated arbitrary code execution using open print job via IPPServer when chained together. Considering that a publicly available proof of concept (PoC) code exists for this vulnerability and the popularity of CUPS-browsed systems among threat actors, exploitation is more likely to occur in the next several months. On the local network, an attacker can spoof zeroconf, mDNS, or DNS-SD advertisements to achieve the same exploit path, leading to remote code execution. Users are strongly encouraged to stop and disable the cups-browsed service and/or port 631,if it is not needed as per the advisory.

Technical Overview

The chain of vulnerabilities arises from a flaw in how the application allows random connections with a random URL on UDP port 631. Out of the whole CVE chain, CVE-2024-47146 is a loophole, where cups-browsed as a part of the CUPS system allows anyone to discover new printers and automatically add them to the system. This binding occurs on UDP port 631 without notifying or consenting the user, as shown in Figure 1.

[Link]

Figure 1: CVE-2024-47146

Once the exploit sends the random URL on UDP port 631 to the victim, as shown in Figure 1, the attacker's machine is automatically displayed in the victim printer's list. After that, the attacker must wait for the victim to print any file using the attacker's printer, which is already on the victim's printer list.

Due to CVE-2024-47076, the function cfGetPrinterAttributes5 does not validate the IPP attributes returned from an IPP server, allowing an attacker to inject a malicious payload along with the attributes. Further chaining it with CVE-2024-47175, the function ppdCreatePPDFromIPP2 does not validate the IPP attributes when writing them to a temporary Postscript Printer Description (PPD) file, allowing an attacker to write malicious payload in the PDD.

Finally, CVE-2024-47177 allows the execution of the specified arbitrary command (echo 1 > /tmp/I_AM_VULNERABLE) in the FoomaticRIPCommandLine parameter when a print job is sent to the fake printer.

[Link]

Figure 2: Arbitrary code Injection in CUPS system

Exploitation

Exploiting this vulnerability allows the remote threat actor to execute arbitrary code on the server as a system. It has a severe impact on the system's confidentiality, integrity, and availability of the system and does not require user interaction.

We leveraged publicly available Poc to achieve remote code execution on CUPS system 2.0.1. Exploitation of the vulnerabilities requires sending a malicious UDP packet to port 631 on the target, directing it to an attacker-controlled IPP server. The system's cups-browsedservice then connects back, fetching printer attributes, which include malicious PPD directives. When a print job starts, these directives execute, allowing the attacker's code to run on the target system, as seen in Figure 3.

[Link]

Figure 3: CUPS RCE

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

IPS: 20394 CUPS Get-Printer-Attributes IPP Request
IPS: 20380 CUPS foomatic-rip Command Injection

Remediation Recommendations

Administrators should ensure that a host-based firewall is running secure affected UDP port 61. Red Hat users can configure Firewalld, and Ubuntu users can configure ufw (which is disabled by default). Users should stop and disable the cups-browsed service if it is not needed.

Relevant Links

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.

Sharing and Personal Tools

Please select the service you want to use:

Back

View original format