Don't want to see articles from a certain category? When logged in, go to your User Settings and adjust your feed in the Content Preferences section where you can block tags!
We do often include affiliate links to earn us some pennies. See more here.

Yesterday details went public about a major security issue that was found in CUPS, the open source printing system.

If you wish to read all the details you can do so in the blog post from Simone Margaritelli who found the problems. It's pretty technical stuff that most normal users likely won't understand, but the main point is that if you're on a desktop Linux system especially there's a high chance your system is vulnerable to it (especially if you use printers).

The issues are:

  • CVE-2024-47176 | cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker controlled URL.
  • CVE-2024-47076 | libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker controlled data to the rest of the CUPS system.
  • CVE-2024-47175 | libppd <= 2.1b1 ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker controlled data in the resulting PPD.
  • CVE-2024-47177 | cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter.

Summed up by Margaritelli they said:

A remote unauthenticated attacker can silently replace existing printers’ (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer).

Margaritelli also suggests actually removing and disabling any services for cups-browsed, especially if you don't need it and then running updates. Regularly checking for updates is just sound advice anyway, make sure you're up to date often for security fixes.

Red Hat and Canonical both have blog posts up on it and updates are rolling out for various distributions.

Article taken from GamingOnLinux.com.
Tags: Security, Misc
30 Likes
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly checked on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly.
See more from me
All posts need to follow our rules. For users logged in: please hit the Report Flag icon on any post that breaks the rules or contains illegal / harmful content. Guest readers can email us for any issues.
14 comments

hardpenguin Sep 27
I appreciate the thumbnail of this newspost.
Liam Dawe Sep 27
I appreciate the thumbnail of this newspost.
Art is my passion.
Linux_Rocks Sep 27
KROM Sep 27
View PC info
  • Supporter
What I personally found even more unsettling than this issue, was the finding that CVE itself seems to have security issues with this issue being leaked along with the exploit from their system.
elmapul Sep 27
its even possible to fix that without breaking the functionally of all existing printers?
tfk Sep 27
What I gather from the blog post is that the reaction to these findings is an irritated one instead of a proactive one. Like pulling your hand bag up to your nose and do like WHEEEEEEEEE! Like the old Reeves and Mortimer sketches. And then coming in with the fake frying pans. Also an old Reeves and Mortimer reference.



soulsource Sep 27
And that is why I don't understand why anyone in their right mind would run cups-browsed. The (tiny) convenience benefit it offers is not worth it.

To quote the blog post:
Disable and remove the cups-browsed service if you don’t need it (and probably you don’t).

The other recommendation is also something that I have been wondering about basically ever since those services were introduced:
I’m also removing every zeroconf / avahi / bonjour listener.

That stuff is nearly useless and increases attack surface.
nenoro Sep 27
Me use gentoo... me waiting for bold humans to update their tarball


Last edited by nenoro on 27 September 2024 at 2:59 pm UTC
Samsai Sep 27
its even possible to fix that without breaking the functionally of all existing printers?
Apparently the Foomatic printers require the kind of stupidity that caused the arbitrary code execution part, so when it comes to those the answer is probably "no". But I would guess that you can fix the issue while basically only breaking Foomatic and maybe making the necessary sacrifice of not getting automatic printer connections.

For most regular workstation users, this issue probably doesn't even really exist. At least in Fedora cups-browsed isn't enabled and the default firewall rules don't expose any CUPS services to the outside. Maybe Ubuntu does run it by default and exposes it, but then the question would probably be why?

I also don't really like how this thing was hyped to hell and back. Sure, it's a real issue in the sense that you can either DoS a CUPS install with the buffer overruns (a certified C language classic) or cause an RCE in some fairly narrow circumstances, but the hyping basically framed it as a damn apocalypse. There has to be some other way to get vulnerabilities fixed than by doing some kind of a salesman marketing spin campaign.
its even possible to fix that without breaking the functionally of all existing printers?

Create a MITM Print Server? Maybe from a Raspberry Pi? As for how you get the files from the device to the print server -- that's up to you really.

(Of course this implies eliminating cups from all LAN devices except the print server which is connected via USB or whatever.)


Last edited by ElectricPrism on 28 September 2024 at 4:17 am UTC
There has to be some other way to get vulnerabilities fixed than by doing some kind of a salesman marketing spin campaign.
Having read the blog post, it sounds like Simone Margaritelli would strongly agree with that sentiment.
Klaas Sep 28
I don't think I ever installed cups-browsed on any system, partly because I don't care about the convenience of automatic discoverability of a printer and mostly because I don't want to have automatic discoverability due to security concerns.
LoudTechie Sep 28
its even possible to fix that without breaking the functionally of all existing printers?
CVE-2024-47076 and CVE-2024-47175 easily(implement the proper checks).
CVE-2024-47177 even without breaking foomatic printers, but it requires serious research in the current use cases(command whitelists).
CVE-2024-47176 kind of. It doesn't require a change to printer drivers, firmware or any other upstream product, but it does require a downstream API change, so it could result in breakage of programs utilizing cups-browsed.

Edit:
on CVE-2024-47177 you can at least implement an opt-in check for it discouraging new printers from using it.
CVE-2024-47176 can also non-breaking be found by making adding printers an opt-in endeavor.


Last edited by LoudTechie on 28 September 2024 at 1:44 pm UTC
elmapul Sep 28
its even possible to fix that without breaking the functionally of all existing printers?

Create a MITM Print Server? Maybe from a Raspberry Pi? As for how you get the files from the device to the print server -- that's up to you really.

(Of course this implies eliminating cups from all LAN devices except the print server which is connected via USB or whatever.)
i mean... software update...
your scenario is realistic for tinkers and companies but not for the average joe.
unless someone plan to sell an new class of devices...
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations: PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
Login / Register