Potential critical vulnerability in Linux (score of 9.9)

A critical security vulnerability (score of 9.9) has been discovered on Linux. The vulnerability concerns the Linux print server CUPS.

The following CVEs have been assigned to this vulnerability: CVE-2024-47176, CVE-2024-47076, CVE-2024-47175 and CVE-2024-47177. Additional CVEs may be added.

 

What we know about the vulnerability

This vulnerability is of type RCE. Exploiting this type of vulnerability enables an attacker to remotely execute system code (computer program) that will impact the attacked system.

Note that the attacker does not need to be authenticated to exploit an RCE vulnerability. In other words, the attack can succeed even if you use a very complex password with the MFA to access the server containing the RCE vulnerability.

 

How to exploit the vulnerability

This RCE vulnerability can be exploited remotely via a UDP packet on port 631 without the attacker being authenticated, if port CUPS/631 is open on the Linux machine and is allowed in your firewall.

Vulnerable Linux versions

  • most GNU/Linux distributions
  • some BSD distributions.
  • Etc.

Details to follow.

 

Considerations for vulnerabilities with a score of 9.9

Since the vulnerability score is very high (9.9 on a scale of 10), this means that:

  • The vulnerability can be exploited remotely.
  • No authentication is required to exploit the vulnerability.
  • The attacker does not need to know the password of the attacked server.
  • The vulnerability can be easily exploited.
  • the impact on the attacked target can be major.

 

Recommendation

  • If you don't need it, disable/uninstall the cups-browsed service on your Linux machines. For example: for RedHat :  
    • to check whether the service is enabled: sudo systemctl status cups-browsed
    • to stop or disable the service: sudo systemctl stop cups-browsed or $ sudo systemctl disable cups-browsed
  • Update CUPS on your systems to the latest version (if you need this service)
  • Block incoming UDP communications to port 631 in your firewall (if you don't need CUPS to be externally accessible).

 

What Streamscan can do to protect you

If you're a Streamscan partner :

  • We have set up a crisis unit to monitor the evolution of this critical vulnerability. We will apply the appropriate response measures.
  • Our DRG/MDR security monitoring team remains vigilant in monitoring your network.

Next steps

  • Additional details are expected for this vulnerability. We will post an update when new information becomes available.