A critical set of unauthenticated Remote Code Execution (RCE) vulnerabilities in CUPS, affecting all GNU/Linux systems and potentially others, was disclosed today. These vulnerabilities allow a remote…
CUPS is installed on the majority of desktop systems. One of the listed CVEs indicates that port 631 is by default open to the local network, so if you connect to any shared network (public WiFi, work/school network, even your home network if another compromised device gets connected to it) you’re exposed. Or a browser flaw or other vulnerability could be exploited to forward a packet to that port.
In other words: While access to port 631 is required first, the severity of the vulnerability lies in how damn easy it is to take over a system after that. And the system can be re-compromised any time you print something, making this a persistent vector.
Exploitation involves sending a malicious UDP packet to port 631 on the target, directing it to an attacker-controlled IPP server. The system’s cups-browsed service then connects back, fetching printer attributes, which include malicious PPD directives. When a print job starts, these directives execute, allowing the attacker’s code to run on the target system.
…it seems the exploit can be triggered either remotely through your CUPS instance listening on port 631, or locally by interacting with a malicious/compromised print server.
So if I understand correctly, shutting down that port wouldn’t be enough by itself. You would also have to keep your system from initiating contact with such a server, such as by using a public printer, or conceivably even just browsing printers at a cafe/business/school. I haven’t read the exploit details, so I don’t know which interactions are safe, if any.
So CUPS has to be installed and port 631 exposed for this to be an issue?
CUPS is installed on the majority of desktop systems. One of the listed CVEs indicates that port 631 is by default open to the local network, so if you connect to any shared network (public WiFi, work/school network, even your home network if another compromised device gets connected to it) you’re exposed. Or a browser flaw or other vulnerability could be exploited to forward a packet to that port.
In other words: While access to port 631 is required first, the severity of the vulnerability lies in how damn easy it is to take over a system after that. And the system can be re-compromised any time you print something, making this a persistent vector.
Gotcha CUPS installed by default + no firewall by default = really not great.
Based on this…
…it seems the exploit can be triggered either remotely through your CUPS instance listening on port 631, or locally by interacting with a malicious/compromised print server.
So if I understand correctly, shutting down that port wouldn’t be enough by itself. You would also have to keep your system from initiating contact with such a server, such as by using a public printer, or conceivably even just browsing printers at a cafe/business/school. I haven’t read the exploit details, so I don’t know which interactions are safe, if any.