Nobody is perfect – not even Linux. You may still have an undiscovered security vulnerability on your system that allows attackers to penetrate the network via your printers. Here’s how you can avoid a CUPS disaster.
What is the CUPS vulnerability?
In September 2024, several critical vulnerabilities were discovered in the Common UNIX Printing System (CUPS for short). These allow attackers to execute malicious code on Linux systems under certain conditions. These vulnerabilities affect all Linux derivatives and various components of CUPS.
The vulnerabilities are known as CVE-2024-47076 (‘libcupsfilters’), CVE-2024-47175 (‘libppd’), CVE-2024-47176 (‘cups-browsed’) and CVE-2024-47177 (‘cups-filters’). Although there are several vulnerabilities, the press referred to ‘the CUPS vulnerability’, i.e. in the singular.
The CUPS vulnerability in Linux is comparable to the Windows vulnerability CVE-2021-1675 (‘Windows Print Spooler Remote Code Execution Vulnerability’), which also became known as ‘PrintNightmare’.
‘The Devil Wears Paper”: What a CUPS attack looks like
Is a gap in the TCP protocol the problem? No! In this case, attackers can send specially crafted, unauthenticated packets to UDP port 631. This triggers the CUPS service to establish a connection to a ‘fake printer’.
If an employee in a company then sends a print job to this supposed printer, the attacker executes a Remote Code Execution (RCE) to penetrate the system. CUPS thus becomes a gateway, which can result in serious damage (data theft, data encryption, etc.). At least if the attacked system is weakly protected and not located in an isolated environment.
CUPS vulnerabilities: What countermeasures are available?
According to press reports, tens of thousands of companies worldwide were affected by the CUPS vulnerability and its consequences. As is so often the case, this attack surface can be easily avoided. These simple measures will help:
System Hardening
When System Hardening in general and Linux Hardening in particular, the following wisdom always applies: All services that are not required must be deactivated! In this case, this means that on systems where no print service is absolutely necessary, CUPS must be switched off completely in order to reduce the potential attack vectors.
Firewalls and segmentation
Exposed ports such as UDP 631 must be protected as quickly as possible. A company network should also always be divided into different segments so that hackers cannot spread at all or only very slowly in the event of a compromise.
Regular system updates
Shortly after IT security specialist Simone Margaritelli (nicknamed ‘Evil Socket’) publicised the CUPS vulnerabilities found in his blog, patches for all common Linux distributions were quickly released. With proper patch management, such known security gaps can therefore be closed quickly.
Constant control
System administrators must pay attention to which printers are available for selection in operating systems. If unknown devices suddenly appear in the company network, the causes should be investigated immediately.
Education and sensitisation
As a general rule, every employee should only use the printer preset for them in the system and not select other printers without authorisation. IT security training and sensitisation are advisable to ensure that no one falls into traps such as the CUPS vulnerability.
How do you recognise unhardened systems?
As mentioned at the beginning: ‘Nobody is perfect’ and no system can be 100% secure – not even Linux. You should therefore regularly check whether your operating system is hardened in accordance with CIS, DISA and BSI standards. The quickest way to do this is with AuditTAP. The open source tool checks the Secure Configuration of all common Windows and Linux systems.
You will receive a detailed report as a result. This enables you to recognise whether the configuration has significant deficits or not.
Does the report show you a high potential for optimisation? Then you should carry out a professional and sustainable System Hardening. This involves not only closing ‘small’ attack surfaces such as the CUPS gap, but also adjusting hundreds of settings.
➡ To reduce this effort, we recommend using a hardening tool such as Enforce Administrator.
Conclusion
Ever since the ‘Windows-PrintNightmare’, it has been clear that the print spooler service should be deactivated on all systems – including Linux. Of course, this only applies if the print function is not absolutely necessary. If a print service is eminently important, the aforementioned measures must be taken. This is the only way to avoid unnecessary security gaps.
How can we help you?
Do you want to learn more about System Hardening and get practical tips on how to configure systems securely? Or would you like to know how you can professionally realise (automated) System Hardening and implement it in your company? Contact us – our experts will be happy to help you!
Images: Freepik Pikaso, FB Pro