By taking advantage of four separate vulnerabilities, an attacker can take control of a Linux system without having physical access to the targeted machine.
A vulnerability that Red Hat is flagging as “important” and Canonical is recommending that Ubuntu users “update as soon as possible” was announced on Thursday. Involved are four CVE’s that when combined form a high-impact exploit chain involving Cups — the printing system used by Linux and other Unix-like operating systems.
The exploit was made public by Simone Margaritelli, who discovered the issue and evidently had a bit of trouble getting anyone to take his find seriously at first.
“Quoting one of the first comments from the guy who literally wrote the book about Cups, while trying to explain to me why this is not that bad: ‘I am just pointing out that the public internet attack is limited to servers that are directly connected to the internet,'” he said.
Patches Are Here — Except When They’re Not
Canonical has already issued a patch, which means that patches are available for Ubuntu and all of its official spins, and should be available for any other Ubuntu-derived distributions as well. I can verify that Linux Mint has made a patch available through its update manager.
So far, Red Hat has not issued a patch but has posted instructions for mitigating the vulnerability on its website. Rocky Linux, being a line-by-line clone of Red Hat Enterprise Linux, is taking the same approach as Red Hat.
“RedHat has not released a patch yet and because Rocky is 1:1 compatible with RHEL, no updates are available yet,” Gregory Kurtzer, founder of Rocky Linux and founder and CEO of CIQ, told me in reply to an email. “Both Rocky and RHEL are only moderately affected and mostly in non-default configurations. CIQ has been in communication with our customer base and we have provided mitigation instructions for systems that might be affected.”
I’ve also emailed AlmaLinux, the other major RHEL clone which has been patching some vulnerabilities that Red Hat ignores since it swapped being being a line-by-line clone for feature parity about a year ago.
“We are still considering it, but the demand from our community is not yet strong,” a spokesperson said, and indicated that the distro’s maintainers are watching to see if Red Hat issues a patch — which it still might do since its community distro Fedora will likely get a patch.
As this is a breaking story, other distros might already have patches issued or in the works as well, so users of other systems should keep an eye on their distro’s update system.
How the Exploit Works
In a blog on Canonical’s website, security engineering manager Luci Stanescu explained the vulnerability is exploited by tricking Cups into generating a PostScript Printer Description file for a printer that the attacker controls and which contains an arbitrary command. After that, when the next print job is sent to the printer the command will be executed as the lp user, which is the user that the Cups daemon runs as, and which normally wouldn’t have escalated privileges.
This can be accomplished over the internet by using a legacy UDP-based protocol to register a new printer with a malicious PPD file. To accomplish this, an attacker would need to send a UDP datagram to port 631, handled by cups-browsed, on the target host, an attack vector that a firewall or NAT router can protect against.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
I mean a LOT of the document-handling for most users?..are PDF and File based. In other words there are SOME people (not all mind you!) that would “print” a document / receipt / bill?…to a PDF and then save it to their machine. I’m wondering if this hack still works in that instance? Hmm…will have to do some digging to find out.