The open-source community took a moment to exhale over the weekend, as security researchers dialed back initial fears of an existential crisis for Linux systems related to critical vulnerabilities in the Common Unix Printing System.
The CUPS vulnerability could allow an attacker to take control of a vulnerable system when a user launches a print job. However, despite initial comparisons to 2021's Log4j crisis, researchers said the level of user interaction made this case far less concerning.
“Celebrity vulnerabilities certainly continue to make an impact in news cycles, but they don’t always overlap with whether they warrant an emergency response from organizations,” Erik Nost, senior analyst at Forrester, said via email.
The flaws, listed as CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177, can allow an attacker to replace IPP URLs on a printer with a malicious version and then execute commands.
Security researcher Simone Margaritelli, who goes by the name @evilsocket, had previously discovered the flaws, but moved up the disclosure due to concerns the research findings were not being adequately addressed.
The embargoed plans for public disclosure caused some in the security community to overplay the potential risk of exploitation. Unlike the Log4j crisis, the level of user interaction required in the CUPS vulnerability is far higher and requires multiple steps before an attacker can trigger the exploit.
“Something that was downplayed in the researcher’s write up is that after planting the malicious printer with the exploit, the code execution payload will only get triggered when a user schedules a print job to the newly added printer,” Yair Mizrahi, senior vulnerability researcher at JFrog, said via email.
Researchers say one issue that could better address the confusion around the true nature of the CUPS vulnerability in the future could be better coordination in terms of disclosure.
“The researcher’s public frustration is sadly more common than desirable in these types of large, complex remediations,” said Christopher Robinson, chair of the OpenSSF Technical Advisory Council. “Establishing clear expectations and timelines up front as the vulnerability is shared with the project, certainly helps reduce this friction and emotions, as everyone has clearly defined goals they are working towards.”
Brian Fox, co-founder and CTO of Sonatype, said that while there may have been a large amount of interaction among researchers about CUPS, it is better to be prepared than to get caught without any protection.
“Thankfully, wide preparations were not needed to prevent Log4Shell-level fallout, but it comes down to being able to prepare even a little bit versus being caught unaware,” Fox said via email. “It's always better to be warned in advance."
In 2022, the federal Cyber Safety Review Board issued a report noting exploitation of Log4j took place at far lower rates than intuitively feared. However the CSRB called Log4j an “endemic vulnerability” that could take years to fully resolve.
