Security Linux News OpenSource SRE English DevSecOps

How to fix the Critical 9.9 CVE Linux Vulnerability in CUPS: A Step-by-Step Guide

Nicolás Georger

Sep 29, 2024

How to fix the Critical 9.9 CVE Linux Vulnerability in CUPS: A Step-by-Step Guide

Oh No! Not My Printers! Exploiting CUPS on Linux: A How-to Guide (Just Kidding, Please Patch Your Systems)

Remember those carefree days when the most terrifying thing about printers was running out of ink at 3 AM just before a big deadline? Yeah, me neither. But hold onto your coffee mugs because we're diving headfirst into a pool of vulnerabilities in CUPS, the ubiquitous print server that's about as secure as a screen door on a submarine, apparently.

CUPS: Conveniently Unsecure Printing System?

Simone Margaritelli, the cybersecurity Gandalf, has unearthed a treasure trove of vulnerabilities in CUPS. We're talking CVEs like CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. These aren't your grandma's paper jams, folks. These bad boys could let a remote attacker waltz right into your system and take over faster than you can say "Ctrl+P."

The Exploit: It's Like Printing Malware, But Worse

Here's the lowdown on how this digital dumpster fire unfolds:

cups-browsed, a service that's supposed to make your life easier by browsing for printers, is actually making life easier for attackers. If it's running, you're basically waving a neon sign that says, "Hack me!"
Our attacker buddy, armed with more exploits than a dark web starter pack, only needs access to your network. This could be through the internet (if you're feeling adventurous and left port 631 open) or your local network (because trust is overrated, right?).
They set up a fake printer, slicker than a used car salesman, just waiting for you to take the bait.
You, being the diligent worker bee that you are, send a print job to the new "printer."
Surprise! Instead of your TPS report, you've just given the attacker the keys to the kingdom. They can now execute code on your machine and wreak havoc like a toddler in a china shop.

The Fallout: More Than Just a Papercut

We're talking remote code execution, folks. That means stolen data, compromised systems, and enough potential damage to make your head spin. And the worst part? You don't even need to click a suspicious link or download a dodgy file. Just printing a document is enough to trigger this digital landmine.

Patching Your System: Less Fun Than a Root Canal, But Way More Important

Alright, enough doom and gloom. Let's talk about how to slam the door shut on this vulnerability before it slams shut on you. Those instructions are meant for systemd based distros, AKA Debian, Ubuntu and friends. For other distros, check the links at the bottom.

Step 1: Channel Your Inner Detective

First, check if you're running cups-browsed:

sudo systemctl status cups-browsed

If you see "Active: inactive (dead)," you can breathe a sigh of relief. If not, it's time to roll up your sleeves.

Step 2: Stop the Bleeding

Disable cups-browsed immediately:

sudo systemctl stop cups-browsed

Step 3: Prevention is Key (and Less Stressful)

Make sure cups-browsed stays down for the count:

sudo systemctl disable cups-browsed

Step 4: Build a Firewall (No, Not the Windows Kind)

If you absolutely can't disable cups-browsed, at least block traffic to UDP port 631:

sudo iptables -A INPUT -p tcp --dport 631 -j DROP
sudo iptables -A INPUT -p udp --dport 631 -j DROP

Step 5: Stay Updated (It's Not Just for Your Phone's OS)

Keep your CUPS installation updated. Think of it like showering—do it regularly to avoid becoming a breeding ground for digital parasites.

The Wrap-up: Back to Regularly Scheduled Printer Frustration

So there you have it, folks. The CUPS vulnerability is a stark reminder that even the most mundane technologies can be weaponized. Stay vigilant, keep your systems patched, and maybe consider investing in a carrier pigeon for your printing needs. Just kidding (or am I?).