About Remote Code Execution – CUPS cups-browsed (CVE-2024-47176) and other CUPS vulnerabilities. On September 26, researcher Simone Margaritelli (evilsocket) disclosed 4 vulnerabilities of the CUPS print server for Linux systems (CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177) in the cups-browsed, libcupsfilters, libppd and cups-filters components.
The vulnerability chain allows a remote unauthenticated attacker to silently replace existing printer IPP URLs with malicious ones by sending special packets to 631/UDP. Then, when a print job is initiated, an RCE occurs. Mass exploitation is possible in local networks via mDNS or DNS-SD.
The OpenPrinting/cups-browsed bulletin contains a PoC of the exploit.
How many potentially vulnerable hosts are accessible from the Internet?
🔻 According to Qualys and Rapid7 score – 75000.
No patches yet. 🤷♂️ So, let’s wait, check network accessed and disable cups-browsed, where it is not needed.
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.
Pingback: October Linux Patch Wednesday | Alexander V. Leonov
Pingback: Continuing the story about recent CUPS vulnerabilities: vulnerable hosts will be used by attackers to amplify DDoS attacks | Alexander V. Leonov