Several vulnerabilities were discovered in CUPS Print System that affect cups-browsed services installed and enabled on many desktop versions of Linux. See the resource center.
The cups-browsed service’s purpose is to discover new printers. It permissively listens for UDP packets on port 631 so printers can be automatically added upon conduct with the machine running cups-browsed. CUPS is installed by default on a wide range of Linux platforms, but the vulnerable service is generally not enabled in default configurations.
Vulnerabilities
The following vulnerabilities can be chained together to exploit the service’s trust of printer advertisements over port UDP/631. An attacker can set up a malicious printer, masquerading as or replacing a real printer, which leads to arbitrary code execution when the malicious printer is used to execute a print job.
-
cups-browsed [CVE-2024-47176]
cups-browsed binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker-controlled URL. -
libcupsfilters [CVE-2024-47076]
cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server. -
libppd [CVE-2024-47175]
ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file. -
cups-filters [CVE-2024-47177]
foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter.
Bitsight Research Status
The Vulnerability Research team is researching the disclosure to understand if a remote detection capability is possible.
Feedback
0 comments
Please sign in to leave a comment.