We’ve been here before, haven’t we? Every other week, a new vulnerability with a sky-high CVSS score causes a frenzy. This time, it’s a 9.9 CVSS vulnerability that was billed as a gift to hackers – a remote exploit that would supposedly render all Linux systems defenseless. The announcement of the vulnerability came with the usual pre-launch drama (the announcement date was made public in advance), driving speculation to a fever pitch. But when D-Day arrived, it turned out… well, it wasn’t the catastrophe people feared.

So, what’s the deal with the CUPS daemon, the chain of vulnerabilities, and why doesn’t a 9.9 score always mean you’re doomed?

The Vulnerability: A Chain of Misfortune

First off, it’s not just a single vulnerability. It’s a chain of issues (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177), all revolving around the CUPS print daemon. CUPS (Common UNIX Printing System) is the venerable service that has handled printing on Linux for decades, making sure your system can discover and interact with network printers effortlessly. If you’ve ever been amazed by how a fresh Linux install “magically” shows printers nearby, CUPS is to thank for that.

While printing has always been notoriously painful, Linux, thanks to CUPS, has made it slightly less of a headache. But this convenience comes at a cost. One of the ways CUPS works so well is by trusting devices that identify as printers on the network – without giving them a deep probe. Back in the early 2000s, this might have been fine, but looking at it from a 2024 perspective, it’s an obvious security risk. If CUPS accepts all devices without challenge, what happens if someone spoofs a printer?

You guessed it: CUPS will happily accept it. Whether that fake printer is on the same network or halfway across the globe, as long as a crafted UDP packet hits the CUPS daemon’s open port (UDP 631), it shows up as a valid printer. And here’s where the fun starts.

This is the crux of the issue: through this fake printer, an attacker can execute code as root on a vulnerable system by exploiting the way CUPS interacts with devices. The attacker-controlled “printer” can send carefully crafted data to trick the system into running malicious code with elevated privileges, since CUPS runs with root-level access.

The Sky Is Falling! (Or is it?)

Yes, the vulnerability is remotely exploitable. But no, it’s not the doomsday scenario many made it out to be. The reason? Most Linux server systems don’t even have CUPS running by default. While it’s a regular part of desktop Linux environments, those systems typically aren’t directly exposed to the internet. Now, I’m not saying there aren’t some CUPS daemons dangling out there, waiting to be exploited. A quick scan of the internet on the day of the vulnerability’s disclosure revealed tens of thousands of exposed CUPS instances. But, in most environments, this isn’t an immediate or realistic threat.

There’s another important caveat: the exploit chain doesn’t trigger just by having a fake printer show up. Someone actually has to attempt to print something to it for the attack to succeed. Without that interaction, it’s just a random “printer” sitting on the network. But, as Terry Pratchett wisely wrote, “If you put a large switch in some cave somewhere, with a sign on it saying ‘End-of-the-World Switch. PLEASE DO NOT TOUCH,’ the paint wouldn’t even have time to dry.”

Why the 9.9 Score?

So why the terrifying 9.9 score? It’s a combination of factors. When security experts hear the words “remote code execution,” they tend to assume the worst and inflate the score out of caution. Additionally, the CVSS scoring process is, at times, a bit of a black box, with scores varying depending on the distribution or vendor. For example, some distributions rated this vulnerability as a 9.1, while others went with 9.9, others just decided that some other (random) number was good. The discrepancy lies not in the severity of the actual flaws (they’re the same across the board) but in subjective judgments about how exposed a typical system might be.

And let’s face it: CVE scoring isn’t always as scientific as it appears. Sometimes, it’s influenced by how much noise a vulnerability is expected to generate, or even by organizational interests. The fact that we, as an industry, base so much of our risk management on these numbers is a systemic flaw.

Should You Be Worried?

In most cases, no. If you’re running a server, you probably don’t have CUPS running. If you’re on a desktop system, you shouldn’t be exposing CUPS to the internet in the first place. Either way, blocking UDP port 631 will stop the issue dead in its tracks. Alternatively, you could just disable CUPS if your systems don’t need printing capabilities. And, of course, apply patches as soon as they’re available.

It’s worth noting that this wasn’t so much a bug as it was a “feature” designed in a more innocent time. As security researchers keep probing legacy systems like CUPS, you can expect more quirky flaws like this to surface.

The post The Sky is Falling! (Again) appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Joao Correia. Read the original post at: https://tuxcare.com/blog/the-sky-is-falling-again/