--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Critical Vulnerabilities in CUPS' number: '2024-103' version: '1.0' original_date: 'September 26, 2024' date: 'September 27, 2024' --- _History:_ * _27/09/2024 --- v1.0 -- Initial publication_ # Summary On September 26, 2024, a security researched released a blog post describing several vulnerabilities in CUPS, one of which being critical, allowing an attacker to replace existing printers' IPP URLs with a malicious one, resulting in a potential arbitrary command execution [1]. # Technical details By chaining the vulnerabilities (**CVE-2024-47076**, **CVE-2024-47175**, **CVE-2024-47176** and **CVE-2024-47177**) together, an attacker could potentially achieve remote code execution [1]. Exploitation of these vulnerabilities is possible through the following chain of events: 1. The `cups-browsed` service has been enabled or started. 2. An attacker has access to a vulnerable server, which: - allows unrestricted access, such as the public internet, or - gains access to an internal network where local connections are trusted. 3. Attacker advertises a malicious IPP server, thereby provisioning a malicious printer. 4. A potential victim attempts to print using the malicious device. 5. Attempted printing allows the attacker to execute arbitrary code on the victim’s machine. # Affected products This group of vulnerabilities affects most of the Linux systems. You can determine if `cups-browsed` is running by running the following command: ``` sudo systemctl status cups-browsed ``` # Recommendations CERT-EU recommends reviewing and applying the patches from Linux distribution security bulletins, including but not limited to: - Ubuntu [2] - RedHat [3] CERT-EU also recommends to disable the `cups-browsed` service in any environment where printing is not needed, or patches are not yet available, using the following commands: ``` sudo systemctl stop cups-browsed sudo systemctl disable cups-browsed ``` # References [1] [2] [3]