If you’ve somewhat followed Linux-related online discussions recently, you may have heard that a significant Linux security vulnerability was set to be announced.
And now, it has been revealed: a critical remote code execution vulnerability within the CUPS printing system, which is implemented in most leading Linux distributions including Ubuntu, as well as Chrome OS. Rated at 9.9 for severity, it teeters on the brink of the highest possible threat level.
The specifics?
“Essentially, the vulnerability can be exploited by manipulating CUPS to create an attacker-specified PPD (PostScript Printer Description) file for a printer, which includes a random command,” Canonical mentions in its security blog.
“Whenever the next print job is sent to the printer in question, the command will be executed as the lp user (this is the user that the CUPS daemon runs as and, barring other exploitable vulnerabilities, would not have escalated privileges).”
Many significant security flaws that make headlines are often specific to certain hardware or setups, or require physical access by a malicious individual to exploit.
So I’m reading this and thinking: “no worries! nobody’s going to manipulate the printing service on my computer without my knowledge…”
However, Simone Margaritelli, who discovered this vulnerability and struggled to have it acknowledged, illustrates in a detailed blog post that it’s possible to do this discreetly, remotely, and without authentication.
On the internet “a remote attacker sends a UDP packet to port 631 with no need for authentication,” or on a LAN, “employing spoofed zeroconf / mDNS / DNS-SD advertisements.”
Red Hat details the process step-by-step:
- The cups-browsed service must be manually enabled or initiated
- An attacker gains access to an exposed server, which either:
- Is openly accessible, such as via the internet, or
- Obtains entry to a secure internal network where local connections are presumed secure
- An attacker announces a hostile IPP server, setting up a malicious printer
- A prospective victim sends a print job to the compromised printer
- The attacker then executes arbitrary code on the victim’s computer
And this vulnerability has existed for… years? Astounding.
But don’t panic!
The first piece of positive news is that if you are behind a firewall or NAT router that blocks the compromised port, you most likely were never at risk.
The second piece of good news is that Canonical’s security team has released critical security updates for the cups-browsed, cups-filters, libcupsfilters, and libppd packages. These updates are currently being distributed to all supported Ubuntu versions today.
The linked discussion is important to read for additional information and perspective. While Canonical’s updates provide reassurance, Simone, the discoverer of the vulnerability, points out the challenge in getting acknowledgement of the issue from those affected by it in the first place.
Even if the flaw is gaping wider than a muppet’s mouth.
Regarding CUPS, he states: “I’ve examined and compromised sufficient of this codebase to eliminate any CUPS service, binary, and library from my systems and forsake printing via a UNIX system forever. Additionally, I’m eradicating all zeroconf / avahi / bonjour listeners.”
No doubt, numerous experts are dissecting and detailing this topic on social media platforms. If you’re eager to dive deeper, I would suggest searching for ‘CUPS,’ though bear in mind, I was an internet user back in 2006, so…perhaps not.
So, proceed to update your systems with the security enhancements released by Canonical (installations are likely automatic if unattended updates are activated), then reboot your computer to ensure all elements function seamlessly.
Next time I send something to print from Ubuntu I may just double-check my system processes once the job is done…