CVE-2024-47175
libppd's ppdCreatePPDFromIPP2 function does not sanitize IPP attributes when creating the PPD buffer
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
CUPS is a standards-based, open-source printing system, and `libppd` can be used for legacy PPD file support. The `libppd` function `ppdCreatePPDFromIPP2` does not sanitize IPP attributes when creating the PPD buffer. When used in combination with other functions such as `cfGetPrinterAttributes5`, can result in user controlled input and ultimately code execution via Foomatic. This vulnerability can be part of an exploit chain leading to remote code execution (RCE), as described in CVE-2024-47176.
A security issue was found in OpenPrinting CUPS.
The function ppdCreatePPDFromIPP2 in the libppd library is responsible for generating a PostScript Printer Description (PPD) file based on attributes retrieved from an Internet Printing Protocol (IPP) response. Essentially, it takes printer information, usually obtained via IPP, and creates a corresponding PPD file that describes the printer's capabilities (such as supported media sizes, resolutions, color modes, etc.).
PPD files are used by printing systems like CUPS (Common Unix Printing System) to communicate with and configure printers. They provide a standardized format that allows different printers to work with the printing system in a consistent way.
The ppdCreatePPDFromIPP2 function in libppd doesn't properly check or clean IPP attributes before writing them to a temporary PPD file. This means that a remote attacker, who has control of or has hijacked an exposed printer (through UPD or mDNS), could send a harmful IPP attribute and potentially insert malicious commands into the PPD file.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2024-09-19 CVE Reserved
- 2024-09-26 CVE Published
- 2024-09-29 CVE Updated
- 2024-10-01 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CAPEC
References (8)
URL | Tag | Source |
---|---|---|
https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8 | X_refsource_misc | |
https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47 | X_refsource_misc | |
https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5 | X_refsource_misc | |
https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6 | X_refsource_confirm | |
https://www.cups.org | X_refsource_misc | |
https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I | X_refsource_misc |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2024-47175 | 2024-10-03 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2314256 | 2024-10-03 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
OpenPrinting Search vendor "OpenPrinting" | Libppd Search vendor "OpenPrinting" for product "Libppd" | <= 2.1 Search vendor "OpenPrinting" for product "Libppd" and version " <= 2.1" | en |
Affected
|