{"uuid": "19c15eba-7fb7-4f1e-8fdd-f5871d05e797", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "name": "CUPS Vulnerabilities - 2024", "description": "Following the initial research available at the [ Attacking UNIX Systems via CUPS, Part I ](https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/)  done by evilsocket.net.\n\n# OpenPrinting Vendor Fixes\n\n- [CVE-2024-47176](https://ubuntu.com/security/CVE-2024-47176): cups-browsed binds on `UDP INADDR_ANY:631` trusting any packet from any source to trigger a `get-printer-attributes` IPP request to an attacker-controlled URL ([GHSA](https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8))\n    - [Preliminary Fix cups-browsed](https://github.com/OpenPrinting/cups-browsed/commit/1debe6b140c)\n    - [Preliminary Fix cups-filters 1.x](https://github.com/OpenPrinting/cups-filters/commit/b7461ec2a8)\n- [CVE-2024-47076](https://www.cve.org/CVERecord?id=CVE-2024-47076): `cfGetPrinterAttributes5()` (libcupsfilters 2.x) and `get_printer_attributes5()` (cups-filters 1.x) does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker-controlled data to the rest of the CUPS system ([GHSA](https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5))\n    - [Fix libcupsfilters 2.x](https://github.com/OpenPrinting/libcupsfilters/commit/95576ec3)\n    - [Fix cups-filters 1.x](https://github.com/OpenPrinting/cups-filters/commit/10fb02eaa)\n- [CVE-2024-47175](https://ubuntu.com/security/CVE-2024-47175): In libppd `ppdCreatePPDFromIPP2()` does not validate or sanitize the IPP attributes when writing them to the PPD file, allowing the injection of attacker-controlled data into the resulting PPD ([GHSA](https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6))\n    - [Fix libppd](https://github.com/OpenPrinting/libppd/commit/d681747ebf)\n    - [Fix CUPS Validate IPP attributes in PPD generator](https://github.com/OpenPrinting/cups/commit/9939a70b750)\n    - [Fix CUPS Refactor make-and-model code](https://github.com/OpenPrinting/cups/commit/04bb2af4521)\n    - [Fix CUPS PPDize preset and template names](https://github.com/OpenPrinting/cups/commit/e0630cd18f7)\n    - [Fix CUPS Quote PPD localized strings](https://github.com/OpenPrinting/cups/commit/1e6ca5913ec)\n    - [Fix CUPS Fix warnings for unused vars](https://github.com/OpenPrinting/cups/commit/2abe1ba8a66)\n- [CVE-2024-47177](https://ubuntu.com/security/CVE-2024-47177): cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter ([GHSA](https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47))\n\n**The already available fixes are sufficient to prevent the exploit.**\n\n# Additional vulnerabilities\n\n- [CVE-2024-47850](https://vulnerability.circl.lu/vuln/cve-2024-47850) - CUPS cups-browsed before 2.5b1 will send an HTTP POST request to an arbitrary destination and port in response to a single IPP UDP packet requesting a printer to be added, a different vulnerability than CVE-2024-47176. (The request is meant to probe the new printer but can be used to create DDoS amplification attacks.)\n\n# Additional reference\n\n- [You're probably not vulnerable to the CUPS CVE](https://xeiaso.net/notes/2024/cups-cve/)\n- OpenPrinting [OpenPrinting News Flash - cups-browsed Remote Code Execution vulnerability ](https://openprinting.github.io/OpenPrinting-News-Flash-cups-browsed-Remote-Code-Execution-vulnerability/)\n- Debian [CVE-2024-47176](https://security-tracker.debian.org/tracker/CVE-2024-47176)\n- Ubuntu [USN-7042-1: cups-browsed vulnerability](https://ubuntu.com/security/notices/USN-7042-1)\n- RedHat [Red Hat\u2019s response to OpenPrinting CUPS vulnerabilities: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177 ](https://www.redhat.com/en/blog/red-hat-response-openprinting-cups-vulnerabilities)", "creation_timestamp": "2024-09-30T07:31:43.981846+00:00", "timestamp": "2024-10-04T13:52:00.637427+00:00", "related_vulnerabilities": ["CVE-2024-47076", "CVE-2024-47850", "GHSA-rj88-6mr5-rcw8", "GHSA-7xfx-47qg-grp6", "CVE-2024-47175", "GHSA-p9rh-jxmq-gq47", "CVE-2024-47177", "GHSA-w63j-6g73-wmg5", "CVE-2024-47176"], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}