What vulnerabilities were identified in the Common UNIX Printing System (CUPS)?

Several vulnerabilities were identified in the Common UNIX Printing System (CUPS), including CVE-2024-47177, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47176. These flaws involve command injection, improper input validation, and the potential to connect to malicious IPP servers, with CVSS scores ranging from 8.4 to 9.1.

What are the details of CVE-2024-47177?

CVE-2024-47177 (CVSS score 9.1) is a vulnerability in the cups-filters component that allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter when initiating a print job.

What is the impact of CVE-2024-47076?

CVE-2024-47076 (CVSS score 8.6) is a vulnerability in libcupsfilters that allows an attacker to send malicious IPP data to a CUPS system due to improper validation of IPP attributes from an attacker-controlled server.

What mitigation measures are recommended for these CUPS vulnerabilities?

To mitigate the vulnerabilities, it is recommended to disable the cups-browsed service (via 'sudo systemctl stop cups-browsed' and 'sudo systemctl disable cups-browsed'), block traffic to UDP port 631, and modify the BrowseRemoteProtocols directive to 'none' in high-availability setups.

Are these vulnerabilities exploitable by default?

No, these vulnerabilities do not affect the default configurations of most systems. Exploitation requires access to UDP port 631, which is typically disabled by default, and user interaction is required to initiate a malicious print job.

What is the risk associated with CVE-2024-47176?

CVE-2024-47176 (CVSS score 8.4) affects the cups-browsed daemon, which listens on UDP port 631. If exposed, it can automatically connect to a malicious IPP server, potentially allowing an attacker to control printer attributes via a crafted packet.

How many systems are exposed to these CUPS vulnerabilities?

According to scans from Shodan.io and FOFA Search Engine, over 270,000 unique IP addresses running CUPS were found, with approximately 75,000 directly accessible over the internet, many of which are running UDP port 631.

Has a PoC been published for any of these vulnerabilities?

Yes, a Proof of Concept (PoC) for CVE-2024-47176 has been published on GitHub.

Have official patches been released for these vulnerabilities?

No official patches have been released as of yet, but organizations and users are advised to monitor for updates and apply patches when they become available.

Advisory

Multiple flaws reported in Linux Common UNIX Printing System (CUPS) that enable remote code execution

published: Sept. 26, 2024

Take action: A serious vulnerability, but with a little systematic work it's dramatic. First check if cups is installed and running. Make sure you block off inbound access to UDP port 631 to all your Linux/MacOS/BSD systems. Disable the cups-browsed daemon if found running on the Linux/MacOS/BSD computer. Then monitor for a patch and apply it. And check your network printers and print servers whether they are running CUPS.

Learn More

Several vulnerabilities have been identified in the Common UNIX Printing System (CUPS), a widely-used printing system across Linux, macOS, and UNIX-like operating systems. The vulnerabilities were publicly disclosed after plans for coordinated disclosure were disrupted and unfortunately the developer discussion devolved into insults.

The CVSS score was announced to be 9.9, but as the flaws were published multiple re-evaluations were performed. We will reference the scores published on Tenable.

Vulnerability details:

CVE-2024-47177 (CVSS score 9.1) (cups-filters) - This vulnerability enables the execution of arbitrary commands from PPD files when a print job is initiated. Command injection vulnerability via the FoomaticRIPCommandLine PPD parameter, enabling arbitrary command execution on the affected system.
CVE-2024-47076 (CVSS score 8.6) (libcupsfilters) - A flaw where IPP attributes returned from an attacker-controlled server are not validated. Improper input validation/sanitization of IPP packets, allowing an attacker to send malicious data to the CUPS system.
CVE-2024-47175 (CVSS score 8.6) (libppd) - A vulnerability that allows injection of malicious data into temporary PPD files. Improper input validation/sanitization of IPP data before writing to a temporary PostScript Printer Description (PPD) file, enabling attackers to inject malicious data.
CVE-2024-47176 (CVSS score 8.4) (cups-browsed) - The cups-browsed daemon, if enabled, listens on UDP port 631 and can automatically connect to a malicious IPP server. Binding to an unrestricted IP address, allowing any source packet to trigger a Get-Printer-Attributes IPP request that connects to an attacker-controlled URL.

A PoC for CVE-2024-47176 has been published on GitHub.

These vulnerabilities, while very serious - even critical, do not affect default configurations of most systems, mitigating the immediate risk of exploitation. Attackers would need to:

Access the system via UDP port 631, which is often disabled by default.
Chain these vulnerabilities together to craft a malicious printer and trick users into initiating a print job that executes arbitrary commands.
User interaction is required, making remote code execution (RCE) less likely in real-world scenarios.

Currently, no official patches have been released. However, mitigation measures are available:

Check if you have cups installed:
- On Linux (first command checks if installed, second if it's listening)

sudo systemctl list-units | grep cups
sudo lsof -i -P | grep cups

On MacOS (first command checks if installed, second if it's listening)

sudo launchctl list | grep cups
sudo lsof -i -P | grep cups

If found, disable the cups-browsed service:

sudo systemctl stop cups-browsed 
sudo systemctl disable cups-browsed

Block traffic to UDP port 631.
In high-availability setups, modify the BrowseRemoteProtocols directive to none to prevent exposure.

It's not clear how network printers that run their print server on embedded Linux with CUPS will be remedied or how vulnerable are they.

As of September 26, scans on Shodan.io and FOFA Search Engine revealed over 270,000 unique IP addresses running CUPS, with 75,000 directly accessible over the internet, highlighting significant exposure, especially on systems running UDP port 631.

Organizations and users are advised to:

Disable the cups-browsed service if unnecessary.
Monitor for official patches and apply them promptly when available.
Ensure UDP port 631 is not exposed to untrusted networks

Update - To assist organizations in identifying systems vulnerable to CVE-2024-47176, a vulnerability scanner named cups_scanner.py has been released. This tool scans local networks by sending crafted UDP packets to UDP port 631 of cups-browsed instances, causing them to reach out to a designated server, thus confirming their vulnerability status. The scanner automates setup, including running a temporary HTTP server to capture callbacks, making it easier for IT teams to assess their network exposure

How to Use the Scanner

To scan a network range (e.g., 10.0.0.0/24) from a callback server hosted at 10.0.0.1 on port 1337, the following command can be used:

python3 cups_scanner.py --targets 10.0.0.0/24 --callback 10.0.0.1:1337

For scanning multiple ranges, separate them with commas:

python3 cups_scanner.py --targets 10.0.0.0/24,10.0.1.0/24 --callback 10.0.0.1:1337

Multiple flaws reported in Linux Common UNIX Printing System (CUPS) that enable remote code execution

Read More
Google December 2025 patch fixes Over 100 Android …
Google releases update for Chrome, patches critical flaw
Microsoft July 2023 Patch Fixes 6 zero-day exploited …
CISA warns of ongoing attacks exploiting Microsoft Outlook …
Architectural flaw in Chromium Blink engine enables crashing …