Press "Enter" to skip to content

New Cups Exploit Makes Desktop Linux Users Particularly Vulnerable — Update Now

Last updated on September 30, 2024

By taking advantage of four separate vulnerabilities, an attacker can take control of a Linux system without having physical access to the targeted machine.

Source: Pixabay

A vulnerability that Red Hat is flagging as “important” and Canonical is recommending that Ubuntu users “update as soon as possible” was announced on Thursday. Involved are four CVE’s that when combined form a high-impact exploit chain involving Cups — the printing system used by Linux and other Unix-like operating systems.

The exploit was made public by Simone Margaritelli, who discovered the issue and evidently had a bit of trouble getting anyone to take his find seriously at first.

“Quoting one of the first comments from the guy who literally wrote the book about Cups, while trying to explain to me why this is not that bad: ‘I am just pointing out that the public internet attack is limited to servers that are directly connected to the internet,'” he said.

Patches Are Here — Except When They’re Not

Canonical has already issued a patch, which means that patches are available for Ubuntu and all of its official spins, and should be available for any other Ubuntu-derived distributions as well. I can verify that Linux Mint has made a patch available through its update manager.

So far, Red Hat has not issued a patch but has posted instructions for mitigating the vulnerability on its website. Rocky Linux, being a line-by-line clone of Red Hat Enterprise Linux, is taking the same approach as Red Hat.

“RedHat has not released a patch yet and because Rocky is 1:1 compatible with RHEL, no updates are available yet,” Gregory Kurtzer, founder of Rocky Linux and founder and CEO of CIQ, told me in reply to an email. “Both Rocky and RHEL are only moderately affected and mostly in non-default configurations. CIQ has been in communication with our customer base and we have provided mitigation instructions for systems that might be affected.”

I’ve also emailed AlmaLinux, the other major RHEL clone which has been patching some vulnerabilities that Red Hat ignores since it swapped being being a line-by-line clone for feature parity about a year ago.

“We are still considering it, but the demand from our community is not yet strong,” a spokesperson said, and indicated that the distro’s maintainers are watching to see if Red Hat issues a patch — which it still might do since its community distro Fedora will likely get a patch.

As this is a breaking story, other distros might already have patches issued or in the works as well, so users of other systems should keep an eye on their distro’s update system.

How the Exploit Works

In a blog on Canonical’s website, security engineering manager Luci Stanescu explained the vulnerability is exploited by tricking Cups into generating a PostScript Printer Description file for a printer that the attacker controls and which contains an arbitrary command. After that, when the next print job is sent to the printer the command will be executed as the lp user, which is the user that the Cups daemon runs as, and which normally wouldn’t have escalated privileges.

This can be accomplished over the internet by using a legacy UDP-based protocol to register a new printer with a malicious PPD file. To accomplish this, an attacker would need to send a UDP datagram to port 631, handled by cups-browsed, on the target host, an attack vector that a firewall or NAT router can protect against.

UPDATE — Monday September 30, 2020

Sometime on Friday after this article was published Red Hat released a patch for this vulnerability. On Saturday morning, Gregory Kurtzer told us in an email that the patch would soon be added to Rocky Linux.

Although we haven’t heard from AlmaLinux about this, we assume that now that an official patch has been issued for RHEL, that it will be applied to that distro and made available to its users as well.

One Comment

  1. Eddie G. Eddie G. September 28, 2024

    I mean a LOT of the document-handling for most users?..are PDF and File based. In other words there are SOME people (not all mind you!) that would “print” a document / receipt / bill?…to a PDF and then save it to their machine. I’m wondering if this hack still works in that instance? Hmm…will have to do some digging to find out.

Leave a Reply

Your email address will not be published. Required fields are marked *

Breaking News: