Unauthenticated RCE Flaw Impacts all Linux Systems – Details Revealed
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A severe remote code execution (RCE) vulnerability has been uncovered by Simone Margaritelli in the Common Unix Printing System (CUPS), affecting all GNU/Linux systems.
Simone Margaritelli earlier notified about the unauthenticated RCE flaw that impacting all GNU/Linux systems, now he revealed the technical details.
The flaw, which includes four distinct CVEs (CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177), allows unauthenticated attackers to execute arbitrary commands on vulnerable systems, posing a significant threat to network security.
“From a generic security point of view, a whole Linux system as it is nowadays is just an endless and hopeless mess of security holes waiting to be exploited.”
A security researcher discovered the vulnerability and detailed the findings in a comprehensive write-up. The researcher identified several critical issues in the CUPS system, including:
Margaritelli demonstrated how these vulnerabilities can be exploited to achieve remote code execution on a fully patched Ubuntu 24.04.1 LTS system running cups-browsed 2.0.1.
A remote,unauthenticatedattacker cansilently replaceexisting printers’ (or installnew ones) IPP URLs witha malicious one,resulting inarbitrary commandexecution onthe computerwhen a print jobis started.
The vulnerabilities can be exploited through WAN/public internet by sending an UDP packet to port 631 and through LAN by spoofing zeroconf/mDNS/DNS-SD advertisements
Margaritelli scanned the entire public internet IPv4 ranges and received back connections from hundreds of thousands of devices, highlighting the widespread exposure of systems to these vulnerabilities.
According to Shodan, a good 73k CUPS Servers exposed, which accepts a custom packet from any untrusted source via UDP port 631.
There are at least 75,000 exposed CUPS daemons on the Internet: https://t.co/8BtEfka9MA pic.twitter.com/ZpwQdmvNCg
— Shodan (@shodanhq) September 26, 2024
The vulnerabilities affect most GNU/Linux distributions, some BSDs, Google Chromium/ChromeOS, Oracle Solaris, and possibly more systems where CUPS and specificallycups-browsedare packaged
The vulnerabilities have been reported to the OpenPrinting project, and some fixes have been pushed, but the researcher expressed frustration with the responsible disclosure process, citing delays and dismissiveness from the developers.
The severity of the vulnerability is underscored by the initial CVSS score of 9.9, estimated by a Red Hat engineer.
Red Hat
While the researcher acknowledges that the impact may not warrant a 9.9 score, the ease of exploitation and widespread presence of the vulnerable package makes it a critical issue.
Recommendations
In light of these findings, users are advised to disable and remove the cups-browsed service if not needed, update the CUPS package on their systems, and block all traffic to UDP port 631 and DNS-SD traffic.
Margaritelli also recommends removing all CUPS services, binaries, and libraries from systems and avoiding the use of zeroconf/avahi/bonjour listeners.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Unauthenticated RCE Flaw Impacts all Linux Systems – Details Revealed
Author: Guru BaranA severe remote code execution (RCE) vulnerability has been uncovered by Simone Margaritelli in the Common Unix Printing System (CUPS), affecting all GNU/Linux systems.
Simone Margaritelli earlier notified about the unauthenticated RCE flaw that impacting all GNU/Linux systems, now he revealed the technical details.
The flaw, which includes four distinct CVEs (CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177), allows unauthenticated attackers to execute arbitrary commands on vulnerable systems, posing a significant threat to network security.
“From a generic security point of view, a whole Linux system as it is nowadays is just an endless and hopeless mess of security holes waiting to be exploited.”
A security researcher discovered the vulnerability and detailed the findings in a comprehensive write-up. The researcher identified several critical issues in the CUPS system, including:
- CVE-2024-47176 : The cups-browsed service binds to UDP port 631, trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker-controlled URL.
- CVE-2024-47076 : The libcupsfilters library does not validate or sanitize IPP attributes returned from an IPP server, providing attacker-controlled data to the rest of the CUPS system.
- CVE-2024-47175 : The libppd library does not validate or sanitize IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker-controlled data in the resulting PPD.
- CVE-2024-47177 : The cups-filters package allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter.
Margaritelli demonstrated how these vulnerabilities can be exploited to achieve remote code execution on a fully patched Ubuntu 24.04.1 LTS system running cups-browsed 2.0.1.
A remote,unauthenticatedattacker cansilently replaceexisting printers’ (or installnew ones) IPP URLs witha malicious one,resulting inarbitrary commandexecution onthe computerwhen a print jobis started.
The vulnerabilities can be exploited through WAN/public internet by sending an UDP packet to port 631 and through LAN by spoofing zeroconf/mDNS/DNS-SD advertisements
Margaritelli scanned the entire public internet IPv4 ranges and received back connections from hundreds of thousands of devices, highlighting the widespread exposure of systems to these vulnerabilities.
According to Shodan, a good 73k CUPS Servers exposed, which accepts a custom packet from any untrusted source via UDP port 631.
There are at least 75,000 exposed CUPS daemons on the Internet: https://t.co/8BtEfka9MA pic.twitter.com/ZpwQdmvNCg
— Shodan (@shodanhq) September 26, 2024
The vulnerabilities affect most GNU/Linux distributions, some BSDs, Google Chromium/ChromeOS, Oracle Solaris, and possibly more systems where CUPS and specificallycups-browsedare packaged
The vulnerabilities have been reported to the OpenPrinting project, and some fixes have been pushed, but the researcher expressed frustration with the responsible disclosure process, citing delays and dismissiveness from the developers.
The severity of the vulnerability is underscored by the initial CVSS score of 9.9, estimated by a Red Hat engineer.
Red HatWhile the researcher acknowledges that the impact may not warrant a 9.9 score, the ease of exploitation and widespread presence of the vulnerable package makes it a critical issue.
Recommendations
- Disable and remove the cups-browsed service
- Update the CUPS package in security updates
- If unable to update, block UDP port 631
- Also, consider blocking off DNS-SD, too
In light of these findings, users are advised to disable and remove the cups-browsed service if not needed, update the CUPS package on their systems, and block all traffic to UDP port 631 and DNS-SD traffic.
Margaritelli also recommends removing all CUPS services, binaries, and libraries from systems and avoiding the use of zeroconf/avahi/bonjour listeners.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
