Experts have raised concerns that the Common UNIX Printing System (CUPS) could be exploited to run harmful code on vulnerable devices from a distance.
CUPS is an open-source printing system created by Apple that works with Unix-like operating systems, such as Linux and macOS. Its purpose is to manage print jobs and queues efficiently, allowing users to print on both local and networked printers. CUPS primarily uses the Internet Printing Protocol (IPP), which makes it easier to find printers and submit print jobs over a network. It also has a web interface for users to manage their printers and print settings.
Cybersecurity researcher Simone Margaritelli from Evil Socket has identified a serious flaw in how CUPS finds new printers. He uncovered four specific vulnerabilities in the system, known as CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177. When these vulnerabilities are exploited together, they allow hackers to set up a fake printer that CUPS will recognize.
When a user tries to print something using this fake printer, it triggers a malicious command that runs on their device.
Despite the potential risks, Red Hat, a major Linux distribution, has labeled this issue as ‘important’ rather than ‘critical.’ This is mainly because there are several steps that must be taken before hackers can take advantage of the flaw to run code remotely.
The first hurdle is that a component called the cups-browsed daemon, which searches for printers on the local network and enables them for use, must be activated. Sometimes, this component is turned off by default, while other times it is turned on.
The second challenge is convincing the user to select this newly discovered printer instead of their regular one, which is typically familiar to them.
Currently, Red Hat is working on a fix for this issue, but there isn’t a patch available yet. In the meantime, a straightforward way to protect against this vulnerability is to disable the cups-browsed service and ensure it doesn’t start automatically when the device is rebooted.
