Created on 2024-09-30 07:31 and updated on 2024-10-04 13:52.
Description
Following the initial research available at the Attacking UNIX Systems via CUPS, Part I done by evilsocket.net.
OpenPrinting Vendor Fixes
- CVE-2024-47176: cups-browsed binds on
UDP INADDR_ANY:631trusting any packet from any source to trigger aget-printer-attributesIPP request to an attacker-controlled URL (GHSA) - CVE-2024-47076:
cfGetPrinterAttributes5()(libcupsfilters 2.x) andget_printer_attributes5()(cups-filters 1.x) does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker-controlled data to the rest of the CUPS system (GHSA) - CVE-2024-47175: In libppd
ppdCreatePPDFromIPP2()does not validate or sanitize the IPP attributes when writing them to the PPD file, allowing the injection of attacker-controlled data into the resulting PPD (GHSA) - CVE-2024-47177: cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter (GHSA)
The already available fixes are sufficient to prevent the exploit.
Additional vulnerabilities
- CVE-2024-47850 - CUPS cups-browsed before 2.5b1 will send an HTTP POST request to an arbitrary destination and port in response to a single IPP UDP packet requesting a printer to be added, a different vulnerability than CVE-2024-47176. (The request is meant to probe the new printer but can be used to create DDoS amplification attacks.)
Additional reference
- You're probably not vulnerable to the CUPS CVE
- OpenPrinting OpenPrinting News Flash - cups-browsed Remote Code Execution vulnerability
- Debian CVE-2024-47176
- Ubuntu USN-7042-1: cups-browsed vulnerability
- RedHat Red Hat’s response to OpenPrinting CUPS vulnerabilities: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177
Vulnerabilities included in this bundle
Author
Alexandre DulaunoyCombined sightings
| Author | Vulnerability | Source | Type | Date |
|---|