Service Notices

All Notices > Security Notices > Linux CUPS Remote Code Execution Vulnerability

Linux CUPS Remote Code Execution Vulnerability

Sep 29, 2024 GMT+08:00

I. Overview

Recently, details about a remote code execution (RCE) vulnerability in the Linux CUPS (Common UNIX Printing System) were disclosed online. This vulnerability is triggered when the cups-browsed component processes a specially crafted request. An unauthenticated attacker can exploit this vulnerability to execute arbitrary code on the target host. Currently, four CVEs (CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177) have been identified in the attack chain. These CVEs may be updated as more information becomes available. A proof-of-concept (PoC) exploit has been released, indicating a high risk associated with this vulnerability.

CUPS is an open-source print service software widely used on Linux/Unix systems. If you are a Linux/Unix user, check your versions and implement timely security hardening.

Reference link:

https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

CVE-2024-47176 cups-browsed <= 2.0.1

CVE-2024-47076 libcupsfilters <= 2.1b1

CVE-2024-47175 libppd <= 2.1b1

CVE-2024-47177 cups-filters <= 2.0.1

IV. Vulnerability Handling

Impact check:

Run the following command to check the status of CUPS-related services:

systemctl status cups-browsed

If the output includes "Unit cups-browsed.service could not be found.", it means CUPS-related services are not installed, and your system is not affected by the vulnerability.

If the service status is returned, check the value of Active: If Active is inactive (dead), CUPS-related services are installed but not enabled, and your system is not affected by the vulnerability. If Active is active (running), CUPS-related services are enabled, and your system is affected by the vulnerability.

Mitigation measures:

1. Disable and delete cups-browsed if the Linux print service is not needed.

2. Block traffic from UDP port 631.

Vulnerability fixing:

Currently, neither the official component maintainers nor major Linux distributors have released fixed versions for the CUPS remote code execution vulnerability. Please stay tuned for updates and the release of official secure versions.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.