Major flaw found in CUPS - time to run Linux system updates

Yesterday details went public about a major security issue that was found in CUPS, the open source printing system.

If you wish to read all the details you can do so in the blog post from Simone Margaritelli who found the problems. It's pretty technical stuff that most normal users likely won't understand, but the main point is that if you're on a desktop Linux system especially there's a high chance your system is vulnerable to it (especially if you use printers).

The issues are:

• CVE-2024-47176 | cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker controlled URL.
• CVE-2024-47076 | libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker controlled data to the rest of the CUPS system.
• CVE-2024-47175 | libppd <= 2.1b1 ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker controlled data in the resulting PPD.
• CVE-2024-47177 | cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter.

Summed up by Margaritelli they said:

A remote unauthenticated attacker can silently replace existing printers’ (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer).

Margaritelli also suggests actually removing and disabling any services for cups-browsed, especially if you don't need it and then running updates. Regularly checking for updates is just sound advice anyway, make sure you're up to date often for security fixes.

Red Hat and Canonical both have blog posts up on it and updates are rolling out for various distributions.