The Common UNIX Printing System, or CUPS, can be abused to remotely execute malicious code on vulnerable endpoints, experts warn.
CUPS is an open-source printing system developed by Apple for Unix-like operating systems, including Linux and macOS. It provides a standardized way to manage print jobs and queues, supporting both local and network printers. CUPS uses the Internet Printing Protocol (IPP) as its primary protocol, allowing seamless printer discovery and job submission over networks. It also includes a web-based interface for managing printers, print jobs and configurations.
Cybersecurity researcher Simone Margaritelli of Evil Socket discovered a problem in the system’s ability to discover new printers. As the researcher explains, CUPS has four vulnerabilities: CVE_2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177. When these vulnerabilities are linked together, threat actors can create a fake, malicious printer and have CUPS discover it.
Roadblocks to exploitation
The moment a user tries to print something with this new device, a malicious command is executed locally on their device.
While it sounds like a major vulnerability, Red Hat deemed it “important” rather than “critical,” and this is mainly because there are a lot of hoops to jump through before the flaw can be exploited for RCE.
The first and largest is that the component called cups-browsed daemon, which searches for shared printers on the local network and enables them to print, must be enabled. The researcher said that sometimes it is disabled by default and sometimes it is enabled.
The second big hoop is getting the victim to choose the new printer that suddenly appears out of nowhere, instead of their usual machine.
Red Hat is currently working on a solution, so a patch is not yet available. However, the simple solution is to prevent the cups-browsed service from running and prevent it from starting on reboot.
Via BleepingComputer