A critical vulnerability with a CVSS score of 9.9 has been discovered in GNU/Linux

A critical vulnerability with a CVSS score of 9.9 has been discovered in GNU/Linux

A critical vulnerability has recently been discovered that threatens all GNU/Linux systems, allowing remote code execution without authentication. The issue affected companies such as Canonical and Red Hat and received a CVSS rating of 9.9 out of 10, confirming its severity. Until the patch is released, developers and users are in a state of uncertainty, fearing the possible consequences.

The new translation from Spring AiO provides details on the timing of disclosure of vulnerability details and offers temporary measures to protect systems.


Renowned security researcher Simone Margaritelli has discovered a critical vulnerability affecting all GNU/Linux systems (and potentially others) that allows remote code execution without authentication (RCE). Canonical and Red Hat have confirmed the severity of the vulnerability, giving it a CVSS score of 9.9 out of 10.

Margariteli reported the vulnerability three weeks ago, but did not disclose details to give developers time to fix it. However, at the moment there is no working patch yet. Disclosure of vulnerability details is planned as follows:

  • September 30: Mail to the Openwall security list.

  • October 6: Full public disclosure of vulnerability details.

The delay in assigning a Common Vulnerabilities and Exposures (CVE) identifier raises questions. Margaritelli believes that three to six CVEs should be assigned due to the complexity of the problem.

Canonical and Red Hat have confirmed the high severity of the vulnerability and are working on patches. However, some developers are reportedly in dispute over the impact of certain aspects of the vulnerabilities, which may contribute to the delay in the release of the patch.

The lack of detailed information leaves both individual users and security experts in a state of heightened anxiety. Without knowing exactly which components, features or versions are at risk, organizations cannot take proactive measures to protect their systems.

In addition, the lack of an assigned CVE identifier calls into question the coordination and interaction between security researchers, vendors, and organizations responsible for maintaining vulnerability registries.

Although a CVSS score of 9.9 indicates critical severity, it is important to approach the situation with caution. Not all high-severity vulnerabilities are easy to exploit in real-world environments. For example:

  • CVE-2024-7589: The RCE over SSH vulnerability, originally evaluated in 9.8, was later downgraded to 8.1 due to the difficulty of exploiting it.

  • CVE-2024-38063: The RCE vulnerability in Windows 9.8 received a lot of attention, but after careful analysis by security experts, it was found to be very difficult to exploit.

These examples highlight the importance of detailed technical analysis to fully understand the impact of a vulnerability.

Pending full disclosure of the details of the vulnerability and subsequent patches, users and administrators should:

  • Stay tuned for updates from reliable sources and wait for official announcements from developers.

  • Strengthen current security measures: firewalls, intrusion detection systems.

  • Be prepared to quickly install patches as they become available.

UPD 1:

September 26 – Newly discovered vulnerabilities in CUPS, a popular print server used on Linux and other platforms, have raised concerns among security experts. Vulnerabilities discovered by Simone Margaritelli and CUPS affecting various operating systems, including Linux distributions, BSD variants, Oracle Solaris, and Google Chrome OS, could allow remote attackers to take control of systems. For CVEs such as CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, administrators are encouraged to act immediately.

Margaritelli detailed in his blog how these flaws allow a remote, unauthenticated attacker to replace existing printers’ Internet Printing Protocol (IPP) URLs or install new malicious ones. The danger is that arbitrary commands can be executed on the victim’s machine when it runs a print job.

What makes this vulnerability even more alarming is that exploitation can occur remotely over the public Internet via a simple UDP packet to port 631, if that port is open on a network firewall. Thanks to this, attacks inside local networks are possible, where attackers can forge zeroconf, mDNS or DNS-SD announcements.

Although the Linux kernel is not affected, the CUPS print server is widely used in various systems, increasing the potential impact. There is currently no patch available for Linux that addresses this issue, leaving many systems vulnerable.

The following conditions are necessary to exploit these vulnerabilities:

  • The cups-browsed service must be enabled or started manually.

  • An attacker must have access to a vulnerable system through:

    • Unlimited public access to the Internet, or

    • Access to an internal network where local connections are trusted.

  • An attacker provides a malicious IPP server by creating a fake printer.

  • A user on the victim’s machine sends a print job to the malicious printer.

  • An attacker uses this ability to execute arbitrary code on the victim’s machine.

This chain of events leads to remote code execution, which can allow attackers to steal sensitive information or compromise critical systems. Even more alarming, the attack can occur without any interaction other than the victim sending a print job, relying on local network trust or using public access points.

Red Hat, one of the organizations whose systems were affected by this group of vulnerabilities, published a detailed response. Red Hat classifies the severity of these vulnerabilities as “Important”, although it specifies that RHEL systems are not vulnerable in their default configuration.

To see if your system is at risk, Red Hat recommends checking the cups-browsed status:

$ sudo systemctl status cups-browsed

If the output shows “Active: inactive (dead)”, the system is not vulnerable. However, if cups-browsed is running or enabled and the BrowseRemoteProtocols directive includes “cups”, the system is vulnerable.

To protect systems against these vulnerabilities, administrators are advised to stop the cups-browsed service with the following command:

$ sudo systemctl stop cups-browsed

Additionally, to prevent the service from starting on reboot, it’s important to:

$ sudo systemctl disable cups-browsed

Block traffic to UDP port 631: If disabling cups-browsed is not possible, blocking all traffic to UDP port 631 can reduce the risk.

$ sudo iptables -A INPUT -p tcp –dport 631 -j DROP
$ sudo iptables -A INPUT -p udp –dport 631 -j DROP

In an environment where printing is not required, these steps should be taken immediately to reduce the risk of an attack. Red Hat and other vendors in the Linux community are actively working on patches to address the vulnerabilities, but until now, disabling cups-browsed and updating CUPS are the best defenses.

UPD 2:

Margaritelli has developed a Proof-of-Concept (PoC) for CVE-2024-47176, which is available in a GitHub Advisory. There was also another PoC based on a commit in the OpenPrinting CUPS repository published on GitHub.

As of September 26th, Shodan.io showed over 75,000 internet accessible hosts running CUPS. The FOFA search engine identified more than 270,000 unique IP addresses, of which nearly 70,000 are directly associated with IPPs. This indicates a significant number of hosts accessible from the Internet, most of which use the standard port 631.

All vulnerability and bug reports:

OpenPrinting has also started publishing fixes:

Join the Russian-speaking community of Spring Boot developers in Telegram – Spring IO to keep up with the latest news from the world of Spring Boot development and everything related to it.

We are waiting for everyone, join us

Related posts