CUPS Print System has several vulnerabilities that affect cups-browsed services installed and enabled on many desktop versions of Linux.
The cups-browsed service’s purpose is to discover new printers. It permissively listens for UDP packets on port 631 so printers can be automatically added upon conduct with the machine running cups-browsed. CUPS is installed by default on a wide range of Linux platforms, but the vulnerable service is generally not enabled in default configurations.
Vulnerabilities
The following vulnerabilities can be chained together to exploit the service’s trust of printer advertisements over port UDP/631. An attacker can set up a malicious printer, masquerading as or replacing a real printer, which leads to arbitrary code execution when the malicious printer is used to execute a print job.
-
cups-browsed [CVE-2024-47176]
cups-browsed binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker-controlled URL. -
libcupsfilters [CVE-2024-47076]
cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server. -
libppd [CVE-2024-47175]
ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file. -
cups-filters [CVE-2024-47177]
foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter.
What To Do
CUPS should not be configured to be internet-facing. The vulnerabilities can be remotely exploited if the cups-browsed service is exposed to the Internet. Search for “Cups” using the Product filter in Bitsight for 4th Party to search for assets observed to be running CUPS.
Results indicate that CUPS is exposed to the Internet, but it does not indicate if it is a vulnerable configuration.
- September 27, 2024: Published.
Feedback
0 comments
Please sign in to leave a comment.