Critical vulnerability with CVSS score 9.9 discovered in GNU

Recently, a critical vulnerability was discovered that threatens all GNU/Linux systems, which allows code to be executed remotely without authentication. The issue affected companies such as Canonical and Red Hat, and received a CVSS score of 9.9 out of 10, indicating its severity. Until the patch is released, developers and users are in a state of uncertainty, fearing the possible consequences.

In a new translation from the team Spring IO provides details on the timing of disclosure of details of the vulnerability and suggests interim measures to protect systems.

Renowned security researcher Simone Margaritelli discovered a critical vulnerability affecting all GNU/Linux systems (potentially others) that allows code to be executed remotely without authentication (RCE). Canonical and Red Hat have confirmed the severity of the vulnerability, giving it a CVSS score of 9.9 out of 10.

Margaritelli reported the vulnerability three weeks ago, but did not disclose details to give developers time to fix it. However, at the moment there is still no working patch. Disclosure of information about the details of the vulnerability is planned as follows:

  • September 30: Newsletter to the Openwall security list.

  • October 6: Full public disclosure of details of the vulnerability.

The delay in assigning the CVE (Common Vulnerabilities and Exposures) identifier raises questions. Margaritelli believes three to six CVEs should be awarded due to the complexity of the problem.

Canonical and Red Hat have confirmed the high severity of the vulnerability and are working on patches. However, some developers are reportedly debating the impact of certain aspects of the vulnerabilities, which may contribute to the delay in releasing a patch.

The lack of detailed information leaves both individual users and security experts in a state of heightened anxiety. Without knowing which components, features, or versions are at risk, organizations cannot take proactive measures to protect their systems.

Additionally, the lack of an assigned CVE identifier calls into question the coordination and collaboration between security researchers, vendors, and organizations responsible for maintaining vulnerability registries.

Although a CVSS score of 9.9 indicates critical severity, it is important to approach the situation carefully. Not all high-severity vulnerabilities are easy to apply in the real world. For example:

  • CVE-2024-7589: The RCE over SSH vulnerability, originally rated at 9.8, was later revised to 8.1 due to difficulty in exploiting it.

  • CVE-2024-38063: The RCE vulnerability in Windows 9.8 has received a lot of attention, but after careful analysis by security experts, it was found to be very difficult to exploit.

These examples highlight the importance of detailed technical analysis to fully understand the impact of a vulnerability.

While awaiting full disclosure of the vulnerability and subsequent patches, users and administrators should:

  • Stay tuned for updates from reliable sources and wait for official announcements from the developers.

  • Strengthen current security measures: firewalls, intrusion detection systems.

  • Be prepared to quickly install patches when they become available.

UPD 1:

September 26 – Newly discovered vulnerabilities in CUPS, a popular print server used on Linux and other platforms, have raised concerns among security experts. Vulnerabilities discovered by Simone Margaritelli affecting CUPS on a variety of operating systems, including Linux distributions, BSD variants, Oracle Solaris and Google Chrome OS, could allow remote attackers to take control of the systems. CVEs such as CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177 require administrators to act immediately.

Margaritelli in detail described blog about how these bugs allow a remote, unauthenticated attacker to replace existing IPP (Internet Printing Protocol) printer URLs or install new malicious ones. The danger is that arbitrary commands can be executed on the victim's machine when it starts a print job.

What makes this vulnerability even more alarming is that exploitation can occur remotely over the public Internet using a simple UDP packet to port 631 if that port is open on the network firewall. This makes it possible to attack inside local networks, where attackers can spoof zeroconf, mDNS or DNS-SD advertisements.

Although the Linux kernel is not affected, the CUPS print server is widely used on a variety of systems, increasing the potential impact. There is currently no patch available for Linux that addresses this issue, leaving many systems vulnerable.

To exploit these vulnerabilities, the following conditions are required:

  • The cups-browsed service must be manually enabled or started.

  • The attacker must have access to the vulnerable system through:

    • Unlimited public internet access, or

    • Access to an internal network where local connections are considered trusted.

  • The attacker provides a malicious IPP server, creating a fake printer.

  • A user on the victim's machine sends a print job to a malicious printer.

  • The attacker uses this capability to execute arbitrary code on the victim's machine.

This chain of events leads to remote code execution, which could allow attackers to steal sensitive information or damage critical systems. What's even more alarming is that the attack can occur without any interaction other than sending a print job on the victim's part, based on trust within the local network or using public access points.

Red Hat, one of the organizations whose systems are affected by this group of vulnerabilities, published detailed answer. Red Hat classifies the severity of these vulnerabilities as “Important”, although it clarifies that RHEL systems are not vulnerable in their standard configuration.

To check if your system is at risk, Red Hat recommends checking the cups-browsed status:

$ sudo systemctl status cups-browsed

If the output shows “Active: inactive (dead)”, the system is not vulnerable. However, if cups-browsed is running or enabled and the BrowseRemoteProtocols directive includes “cups”, the system is vulnerable.

To protect systems from these vulnerabilities, administrators are advised to stop the cups-browsed service with the following command:

$ sudo systemctl stop cups-browsed

Additionally, to prevent the service from starting on reboot, it is important to run:

$ sudo systemctl disable cups-browsed

Blocking traffic on UDP port 631: If disabling cups-browsed is not possible, blocking all traffic on UDP port 631 may reduce the risk.

$ sudo iptables -A INPUT -p tcp –dport 631 -j DROP
$ sudo iptables -A INPUT -p udp –dport 631 -j DROP

In environments where printing is not required, these steps should be completed immediately to reduce the risk of attack. Red Hat and other vendors in the Linux community are actively working to develop patches to address the vulnerabilities, but until then, disabling cups-browsed and updating CUPS are the best protection measures.

UPD 2:

Margaritelli developed Proof-of-Concept (PoC) for CVE-2024-47176, which is available on GitHub Advisory. Another PoC based on a commit in the OpenPrinting CUPS repository was also published on GitHub.

As of September 26, Shodan.io showed more than 75,000 internet-accessible hosts running CUPS. The FOFA search engine found more than 270,000 unique IP addresses, of which almost 70,000 were associated directly with IPPs. This indicates a significant number of hosts with Internet access, most of which use the default port 631.

All vulnerability reports and bugs:

OpenPrinting has also started publishing fixes:

Join the Russian-speaking community of Spring Boot developers in telegram – Spring IOto stay up to date with the latest news from the world of Spring Boot development and everything related to it.

We are waiting for everyone join us

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *