A naukri.com initiative
Securityaffairs
1M
436
Image Credit: Securityaffairs
CUPS flaws allow remote code execution on Linux systems under certain conditions
- An unpatched vulnerability affecting Linux systems has been disclosed by security researcher Simone Margaritelli. Margaritelli announced plans to disclose an unauthenticated remote code execution (RCE) vulnerability affecting all GNU/Linux systems within two weeks. The issue received a critical rating and a CVSS score of 9.9. However, no CVE had been assigned and no one was working to resolve it.
- The vulnerability chain involves four vulnerabilities, including IPP attribute sanitisation, command execution, and packet trust issues. By exploiting these vulnerabilities together, a remote unauthenticated attacker can execute arbitrary code, leading to the theft of sensitive data and damage to critical production systems.
- To execute the attack, the attacker needs to gain access to a vulnerable server through unrestricted public internet access or gaining access to an internal network where local connections are trusted. The attacker then attempts to print from the compromised device to execute arbitrary code on the victim's machine.
- The vulnerabilities are yet to be addressed by CUPS developers, who have reportedly admitted that the vulnerabilities cannot be easily fixed. The CUPS security team suggests some temporary mitigation measures which include running two commands to disable vulnerable services or blocking all traffic to UDP port 631 and DNS-SD traffic.
- Red Hat cautioned that a chain of these vulnerabilities could lead to remote code execution, resulting in data theft or damage to critical production systems. The issues were rated as having Important severity impact. While all versions of RHEL are affected, it is important to note that affected packages are not vulnerable in their default configuration.
- The technical details and a PoC exploit of this vulnerability were disclosed by Margaritelli on September 26th, 2024. The disclosure followed a poor response to responsible disclosure according to the researcher.
- For temporary mitigation, users can prevent vulnerable systems from starting up by running two commands, stopping a vulnerable service, and disabling cups-browsed.
- Margaritelli spent three weeks of his sabbatical working full-time on this research, reporting and coordinating this disclosure to help resolve the issue.
- The vulnerabilities may allow an unauthenticated remote attacker to achieve arbitrary code execution by replacing IPP URLs with a malicious one.
- Blocking DNS-SD traffic and all UDP traffic to port 631 can potentially mitigate the attacks.
Read Full Article
26 Likes
For uninterrupted reading, download the app