CVE-2024-35235 Overview
CVE-2024-35235 is a symlink attack vulnerability in OpenPrinting CUPS, the open source printing system widely used on Linux and other Unix-like operating systems. In versions 2.4.8 and earlier, when starting the cupsd server with a Listen configuration item pointing to a symbolic link, the cupsd process can be caused to perform an arbitrary chmod of the provided argument, providing world-writable access to the target file or directory.
Critical Impact
Since cupsd typically runs as root, this vulnerability can result in changing permissions of any user or system files to world-writable, potentially leading to privilege escalation and arbitrary command execution.
Affected Products
- OpenPrinting CUPS versions 2.4.8 and earlier
- Debian Linux 10.0
- Linux and Unix-like systems running vulnerable CUPS versions
Discovery Timeline
- 2024-06-11 - CVE-2024-35235 published to NVD
- 2025-09-26 - Last updated in NVD database
Technical Details for CVE-2024-35235
Vulnerability Analysis
This vulnerability is classified under CWE-59 (Improper Link Resolution Before File Access), commonly known as a symlink attack. The flaw exists in how the CUPS daemon handles the Listen configuration directive. When cupsd processes a Listen argument that points to a symbolic link, it performs a chmod operation on the target of that symlink without properly validating whether the path is a legitimate socket file or a malicious symbolic link.
On systems where cupsd runs with root privileges, an attacker with local access can exploit this behavior to modify permissions on arbitrary files. The exploitation chain can be extended further on Ubuntu systems. While Ubuntu's AppArmor profile limits which files the cupsd process can modify, researchers found it was still possible to gain full control over the cupsd.conf and cups-files.conf configuration files.
By manipulating these configuration files, an attacker can set the User and Group arguments in cups-files.conf, then configure a printer with a PPD file containing a FoomaticRIPCommandLine argument to achieve arbitrary command execution under a non-root user context. This initial foothold can subsequently be leveraged for full root command execution on vulnerable Ubuntu systems.
Root Cause
The root cause of this vulnerability lies in insufficient validation of symbolic links in the Listen configuration path handling code within cupsd. The vulnerable code path can be found in the CUPS HTTP address handling code. The daemon fails to verify that the Listen path resolves to an expected socket file type before performing file permission operations, allowing an attacker to redirect the chmod operation to arbitrary targets through symbolic links.
Attack Vector
The attack requires local access to the system and follows a multi-stage exploitation path:
- An attacker creates a symbolic link pointing from a path that will be used as a Listen socket to a target file they wish to make world-writable
- When cupsd starts (or restarts), it processes the Listen configuration and performs a chmod operation that follows the symbolic link
- The target file becomes world-writable, allowing the attacker to modify its contents
- On systems with AppArmor protection, the attacker can target CUPS configuration files to modify service settings
- By editing cups-files.conf to change User/Group settings and configuring a malicious PPD file with FoomaticRIPCommandLine, arbitrary command execution is achieved
The attack exploits the trust placed in the Listen configuration path and leverages the elevated privileges of the cupsd daemon to escalate from local access to potential root-level compromise.
Detection Methods for CVE-2024-35235
Indicators of Compromise
- Unexpected symbolic links in CUPS socket directories (typically /var/run/cups/ or similar paths)
- Modified permissions on system files (especially world-writable configuration files)
- Unauthorized changes to cupsd.conf or cups-files.conf
- Suspicious User or Group settings in cups-files.conf
- PPD files containing FoomaticRIPCommandLine directives with unexpected commands
Detection Strategies
- Monitor file integrity for CUPS configuration files using tools like AIDE or OSSEC
- Audit symbolic link creation in directories used by CUPS services
- Review system logs for unexpected cupsd restarts or configuration changes
- Implement auditd rules to track chmod operations performed by the cupsd process
Monitoring Recommendations
- Enable detailed logging for CUPS service activities
- Configure file integrity monitoring on /etc/cups/ directory and contents
- Set up alerts for permission changes on sensitive system files
- Monitor for unexpected print jobs or printer configuration changes
How to Mitigate CVE-2024-35235
Immediate Actions Required
- Update OpenPrinting CUPS to a patched version that includes commit ff1f8a623e090dee8a8aadf12a6a4b25efac143d
- Review CUPS configuration files for unauthorized modifications
- Audit Listen configuration directives for symbolic link references
- Restrict local access to systems running vulnerable CUPS versions
Patch Information
OpenPrinting has released a security patch addressing this vulnerability. The fix is contained in commit ff1f8a623e090dee8a8aadf12a6a4b25efac143d. Organizations should apply this patch or upgrade to a CUPS version that includes this fix. For Debian Linux systems, refer to the Debian LTS Security Announcement for distribution-specific update instructions. Additional details are available in the GitHub CUPS Security Advisory.
Workarounds
- Ensure Listen configuration paths do not point to symbolic links
- Run cupsd with reduced privileges where possible using AppArmor or SELinux policies
- Implement strict file permissions on directories used by CUPS
- Disable or remove unused printing services on critical systems
# Configuration example
# Verify Listen configuration does not contain symbolic links
ls -la $(grep -E "^Listen" /etc/cups/cupsd.conf | awk '{print $2}')
# Check CUPS configuration file integrity
sha256sum /etc/cups/cupsd.conf /etc/cups/cups-files.conf
# Ensure proper permissions on CUPS directories
chmod 755 /etc/cups
chmod 644 /etc/cups/cupsd.conf
chmod 640 /etc/cups/cups-files.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
