Background
Four vulnerabilities in the Common Unix Printing System (CUPS), a common printing utility in many Linux distributions, have been making waves online over the past week – mostly due to its unusual disclosure process and disagreement over its severity and technical details across social media.
One of these vulnerabilities in particular, CVE-2024-47176, drew a lot of attention due to its unofficial severity rating of 9.9 and its description as an “Unauthenticated RCE affecting all GNU/Linux systems” in a post on X by security researcher Simone Margaritelli (@evilsocket) on September 23. In the lead-up to its disclosure, it began drawing comparisons to Heartbleed and Log4Shell in terms of its potential scope and severity for the internet.
After more technical details emerged over the following week, however, it became clear that the actual risk is narrower in scope than originally thought. However, it still presents significant consequences if exploited.
We initially reported on our perspective in our Rapid Response advisory last Friday. Below, we break down the key details of this vulnerability and what you should know and expect.
What Is the Actual Risk?
In simplified terms, CVE-2024-47176 lets attackers exploit the CUPS printing service by sending a specially crafted, unauthenticated packet to its UDP port. This can trick the service into connecting to a malicious printer. If the victim then tries to print something to that printer, the attacker can achieve remote code execution (RCE) on the target system.
It’s important to note that this is not currently considered a zero-click attack, as successful exploitation seems to require user interaction in the majority of cases—specifically, triggering the print job. The researcher who discovered this vulnerability has hinted on social media that exploitation might be possible without user interaction, depending on the target device. While a proof of concept is available, there is limited information about whether this is being actively exploited or what those exploit attempts look like.
Nonetheless, this vulnerability is concerning because if exploited, it could lead to severe consequences, including full system compromise and lateral movement within a network. Moreover, since CUPS is widely used in embedded devices and third-party software, it’s possible that this vulnerability could be leveraged as part of a chain in future attacks that target the same underlying issue.
Measuring the Scope of Vulnerable Systems
There are two primary groups of hosts that are more likely to be targeted by CVE-2024-47176:
- Remote Targets: These are hosts that expose a vulnerable CUPS version (<= 2.0.1) to the public internet while running the affected cups-browsed service. This configuration puts them at risk from remote attackers.
- Local Targets: If an attacker has access to the local network and the CUPS service is configured with mDNS, they can exploit the service over mDNS. However, this configuration raises additional security concerns that go beyond this vulnerability.
There have been notable differences in the counts of affected servers reported by various sources, leading to some confusion. This is mainly because different sources have different measurement methodologies.
Censys, like other internet scanners, looks for CUPS services exposed over TCP.
We see 99,710 hosts exposing IPP services online (filtering out potential honeypots).
Of these, 60,831 hosts indicate that they’re running CUPS.
Of those, 7,171 show indications of running a version of CUPS that is affected by this CVE.
These numbers have shown signs of being an underestimate of the true number of vulnerable hosts, because, interestingly, more CUPS services seem to be accessible over UDP than TCP.
Some independent researchers are scanning directly for this vulnerability by standing up a callback server to mimic a fake printer, then sending crafted UDP packets to see which servers connect back to that fake printer. This is generally the most accurate way to confirm whether or not a server is vulnerable at this time.
While doing the above is not technically an exploit, the methodology is definitely beyond the scope of what Censys was built to do: scan the internet with minimal interaction. Censys focuses on collecting and analyzing data in a manner that prioritizes transparency in its findings.
What Mitigation Steps Should Users Take?
At the time of writing, both Ubuntu and Red Hat have developed patches for this vulnerability, though these are mainly workarounds.
In the absence of a comprehensive patch, the most straightforward remediation is to disable the cups-browsed service using the following commands:
systemctl stop cups-browsed
systemctl disable cups-browsed
If disabling is not an option, blocking all traffic to UDP port 631 can help mitigate risks, although this will not protect against local area network attacks via mDNS.
Generally, print servers do not need to be connected to the public internet.
