Recent vulnerabilities discovered in the Common UNIX Printing System (CUPS) pose a risk of remote code execution on unprotected Linux machines. Tracked as CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177, these flaws were identified by researcher Simone Margaritelli. They rely on the cups-browsed daemon being enabled, a setting that is typically not active in default configurations. CUPS, which is widely used for managing printers in Linux and Unix-like operating systems, includes this daemon to facilitate the discovery of network printers.
When the cups-browsed daemon is enabled, it listens on UDP port 631, allowing remote connections to create new printers. Margaritelli found that attackers could exploit this by advertising a malicious PostScript Printer Description (PPD) to the exposed service. If a user on the local network attempts to print to this malicious printer, the system automatically installs it, which can lead to the execution of harmful commands embedded within the PPD. This vulnerability chain requires both network access and user interaction, limiting its real-world applicability.
While the potential for remote code execution exists, the risks are mitigated by several factors. The cups-browsed daemon is not commonly enabled by default, reducing the number of vulnerable systems. Additionally, an attacker would need to successfully trick a user into printing from the malicious printer, which introduces a layer of complexity. As Field CTO at Sonatype Ilkka Turunen noted, this chain of vulnerabilities highlights the necessity of spoofing a printer on the local network, which is not straightforward.
Currently, no patches are available for these vulnerabilities, but Red Hat has provided mitigation measures for system administrators. Users are advised to disable the cups-browsed service to halt the exploit chain by executing the commands: sudo systemctl stop cups-browsed and sudo systemctl disable cups-browsed. System administrators can check the status of the service using sudo systemctl status cups-browsed. If the service is inactive, the system is not vulnerable. Red Hat has classified the severity of these vulnerabilities as “Important,” reflecting the limited impact given the mitigating factors involved.
