The impact of the September 2024 CUPS CVEs depends on your size

September 26, 2024

The recent information security news is that there are a series of potentially serious issues in CUPS (via), but on the other hand a lot of people think that this isn't an exploit with a serious impact because, based on current disclosures, someone has to print something to a maliciously added new 'printer' (for example). My opinion is that how potentially serious this issue is for you depends on the size and scope of your environment.

Based on what we know, the vulnerability requires the CUPS server to also be running 'cups-browsed'. One of the things that cups-browsed does is allow remote printers to register themselves on the CUPS server; you set up your new printer, point it at your local CUPS print server, and everyone can now use it. As part of this registration, the collection of CUPS issues allows a malicious 'printer' to set up server side data (a CUPS PPD) that contains things that will run commands on the print server when a print job is sent to this malicious 'printer'. In order to get anything to happen, an attacker needs to get someone to do this.

In a personal environment or a small organization, this is probably unlikely. Either you know all the printers that are supposed to be there and a new one showing up is alarming, or at the very least you'll probably assume that the new printer is someone's weird experiment or local printer or whatever, and printing to it won't make either you or the owner very happy. You'll take your print jobs off to the printers you know about, and ignore the new one.

(Of course, an attacker with local knowledge could target their new printer name to try to sidestep this; for example, calling it 'Replacement <some existing printer>' or the like.)

In a larger organization, such as ours, people don't normally know all of the printers that are around and don't generally know when new printers show up. In such an environment, it's perfectly reasonable for people to call up a 'what printer do you want to use' dialog, see a new to them printer with an attractive name, and use it (perhaps thinking 'I didn't know they'd put a printer in that room, that's conveniently close'). And since printer names that include locations are perpetually misleading or wrong, most of the time people won't be particularly alarmed if they go to the location where they expect the printer (and their print job) to be and find nothing. They'll shrug, go back, and re-print their job to a regular printer they know.

(There are rare occasions here where people get very concerned when print output can't be found, but in most cases the output isn't sensitive and people don't care if there's an extra printed copy of a technical paper or the like floating around.)

Larger scale environments, possibly with an actual CUPS print server, are also the kind of environment where you might deliberately run cups-browsed. This could be to enable easy addition of new printers to your print server or to allow people's desktops to pick up what printers were available out there without you needing to even have a central print server.

My view is that this set of CVEs shows that you probably can't trust cups-browsed in general and need to stop running it, unless you're very confident that your environment is entirely secure and will never have a malicious attacker able to send packets to cups-browsed.

(I said versions of this on the Fediverse (1, 2), so I might as well elaborate on it here.)


Comments on this page:

By karl at 2024-09-27 00:13:37:

I've been thinking for a while that, despite all the complexity of CUPS, most people (home users, I mean) are only using it because that's how one gets one's printer to appear in application "Print" dialogs.

And it's kind of a pain in the ass to deal with. I've gotta have systemd give it a read-only copy of /etc, so it won't reset the permissions of printers.conf and thus break my "/etc in git" setup. Also gotta disable parts like browsed, the TCP listening socket, all privileged operations; ensure its spool is on a tmpfs to avoid leaking potentially-sensitive data; etc.

Ultimately, all it's doing is running some PostScript transformation, appending a PJL header, and dumping the data to a USB port. And I've read that the CUPS people are planning to get rid of the first 2 parts of that workflow. I kind of just want to figure out how to create some minimal "dummy CUPS" to fill up the Print dialogs, and have that program run a simple shell script when I hit print.

Written on 26 September 2024.
« Using a small ZFS recordsize doesn't save you space (well, almost never)
Brief notes on how the Prometheus SNMP exporter's configurations work »

Page tools: View Source, View Normal.
Search:
Login: Password:

Last modified: Thu Sep 26 23:16:58 2024
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.