Yesterday details went public about a major security issue that was found in CUPS, the open source printing system.
If you wish to read all the details you can do so in the blog post from Simone Margaritelli who found the problems. It's pretty technical stuff that most normal users likely won't understand, but the main point is that if you're on a desktop Linux system especially there's a high chance your system is vulnerable to it (especially if you use printers).
The issues are:
- CVE-2024-47176 | cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a
Get-Printer-AttributesIPP request to an attacker controlled URL.- CVE-2024-47076 | libcupsfilters <= 2.1b1
cfGetPrinterAttributes5does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker controlled data to the rest of the CUPS system.- CVE-2024-47175 | libppd <= 2.1b1
ppdCreatePPDFromIPP2does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker controlled data in the resulting PPD.- CVE-2024-47177 | cups-filters <= 2.0.1
foomatic-ripallows arbitrary command execution via theFoomaticRIPCommandLinePPD parameter.
Summed up by Margaritelli they said:
A remote unauthenticated attacker can silently replace existing printers’ (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer).
Margaritelli also suggests actually removing and disabling any services for cups-browsed, especially if you don't need it and then running updates. Regularly checking for updates is just sound advice anyway, make sure you're up to date often for security fixes.
Red Hat and Canonical both have blog posts up on it and updates are rolling out for various distributions.
Article taken from GamingOnLinux.com.
Philadelphus Sep 28
Quoting: SamsaiThere has to be some other way to get vulnerabilities fixed than by doing some kind of a salesman marketing spin campaign.Having read the blog post, it sounds like Simone Margaritelli would strongly agree with that sentiment.
Quoting: elmapulits even possible to fix that without breaking the functionally of all existing printers?CVE-2024-47076 and CVE-2024-47175 easily(implement the proper checks).
CVE-2024-47177 even without breaking foomatic printers, but it requires serious research in the current use cases(command whitelists).
CVE-2024-47176 kind of. It doesn't require a change to printer drivers, firmware or any other upstream product, but it does require a downstream API change, so it could result in breakage of programs utilizing cups-browsed.
Edit:
on CVE-2024-47177 you can at least implement an opt-in check for it discouraging new printers from using it.
CVE-2024-47176 can also non-breaking be found by making adding printers an opt-in endeavor.
Last edited by LoudTechie on 28 September 2024 at 1:44 pm UTC
Quoting: ElectricPrismi mean... software update...Quoting: elmapulits even possible to fix that without breaking the functionally of all existing printers?
Create a MITM Print Server? Maybe from a Raspberry Pi? As for how you get the files from the device to the print server -- that's up to you really.
(Of course this implies eliminating cups from all LAN devices except the print server which is connected via USB or whatever.)
your scenario is realistic for tinkers and companies but not for the average joe.
unless someone plan to sell an new class of devices...
Patreon
PayPal
See more from me