Recent discoveries have unveiled two significant vulnerabilities within the Linux Common Unix Printing System (CUPS), potentially compromising millions of systems worldwide. These flaws, identified as CVE-2025-58364 and CVE-2025-58060, threaten the core printing infrastructure integral to nearly all Linux distributions, posing substantial risks to network security.
Key Highlights:
1. Two Critical CUPS Vulnerabilities Impact All Linux Systems: The identified vulnerabilities affect the CUPS framework, a fundamental component in Linux systems, making all distributions susceptible.
2. Potential for Service Disruption and Unauthorized Access: Exploitation of these flaws could lead to widespread service interruptions and unauthorized administrative access.
3. Immediate Mitigation Measures Recommended: Until official patches are released, implementing interim security measures is crucial to safeguard systems.
Detailed Analysis:
1. Remote Denial-of-Service (DoS) Vulnerability (CVE-2025-58364):
This vulnerability arises from improper deserialization and validation of printer attributes within the libcups library. Specifically, the issue is located in the `ipp_read_io()` function, which processes `IPP_OP_GET_PRINTER_ATTRIBUTES` requests. Attackers can craft malicious printer attribute responses that trigger a null pointer dereference, leading to system crashes across local networks.
The exploit requires attackers to have access to the same local network, making systems running the `cups-browsed` service particularly vulnerable. This service actively listens for printer announcements, increasing the risk of exploitation. All CUPS versions below 2.4.12 are affected, and as of now, no official patches have been released. Security researcher SilverPlate3 is credited with discovering this flaw.
2. Authentication Bypass Vulnerability (CVE-2025-58060):
This high-severity vulnerability affects CUPS configurations utilizing `AuthType Negotiate` or any non-Basic authentication methods. The flaw resides in the `cupsdAuthorize()` function within the `scheduler/auth.c` file. When administrators configure `DefaultAuthType` to methods other than Basic authentication, the system erroneously skips password validation if an incoming request includes a Basic authentication header.
Attackers can exploit this by sending requests with an `Authorization: Basic` header, where the password can be any arbitrary string. This bypass grants unauthorized access to CUPS administrative functions, potentially allowing attackers to modify printer configurations, access print queues, or execute administrative commands. Systems employing Kerberos, LDAP, or other enterprise authentication mechanisms are particularly at risk. Researcher hvenev-insait identified this vulnerability.
Mitigation Strategies:
Given the critical nature of these vulnerabilities, immediate action is necessary:
– For CVE-2025-58364:
– Restrict Network Access: Limit access to IPP port 631 through firewall rules to prevent unauthorized network access.
– Disable `cups-browsed` Service: On systems where automatic printer discovery is not essential, disable the `cups-browsed` service to reduce exposure.
– For CVE-2025-58060:
– Revert to Basic Authentication Temporarily: Until patches are available, configure CUPS to use `AuthType Basic` with strong, unique passwords to mitigate the risk of authentication bypass.
– Monitor for Security Updates: Regularly check the OpenPrinting project repository and other official channels for updates and apply patches promptly upon release.
Conclusion:
The discovery of these vulnerabilities underscores the importance of proactive security measures within Linux environments. Organizations must assess their exposure, implement interim mitigations, and stay vigilant for official patches to maintain the integrity and security of their printing services.
