Pwned by Your Printer: Simone Margaritelli Warns of a Serious Security Vulnerability in CUPS

Security researcher Simone Margaritelli has discovered serious security vulnerabilities in the Common UNIX Printing System (CUPS) — allowing for remote-code execution over a network on Linux and BSD distributions with CUPS installed and enabled.

"A remote unauthenticated attacker can silently replace existing printers' (or install new ones) IPP [Internet Printing Protocol] URLs with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer)," Margaritelli explains of the core of the problem. "A remote attacker [just] sends a UDP packet to port 631. No authentication whatsoever."

CUPS is, as the name suggests, used to allow local and network printing on UNIX-like systems. Originally developed by Easy Software Products and adopted by Apple in 2002 for Mac OS X, it's the most common printing system for non-Microsoft Windows operating systems and used on Linux, BSD, Solaris, and other platforms — making a security flaw that allows for unauthenticated remote code execution severe indeed, with Margaritelli's discovery rated at 9 out of 10 for severity.

"This thing is packaged for anything, in some cases it's enabled by default, in others it's not, go figure," Margaritelli writes. "Full disclosure, I’ve been scanning the entire public internet IPv4 ranges several times a day for weeks, sending the UDP packet and logging whatever connected back. And I’ve got back connections from hundreds of thousands of devices, with peaks of 200-300k concurrent devices."

Margaritelli considers the flaw severe enough to "remove any CUPS service, binary and library from any of my systems and never again use a UNIX system to print" — but others are downplaying the vulnerability, while patches to close the hole have already been released. "In general," writes "senior technophilosopher" Xe Iaso on his blog, "your servers should not be vulnerable to this. Your desktops may be." Johannes Ullrich at the SANS Internet Storm Center, meanwhile, recommends filtering UDP traffic on port 631 — which will block attacks from outside the local network even on an unpatched system.

More details on the vulnerability and its discovery — including a responsible disclosure process that Margaritelli describes as "broken" and which he has said he will not be following for future vulnerabilities — is available on Margaritelli's blog; those running CUPS on their systems are advised to remove it if they do not require printing support or to check for a patch, while also ensuring UDP port 631 is not accessible over the internet.