CVE-2024-47175
libppd's ppdCreatePPDFromIPP2 function does not sanitize IPP attributes when creating the PPD buffer
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
CUPS is a standards-based, open-source printing system, and `libppd` can be used for legacy PPD file support. The `libppd` function `ppdCreatePPDFromIPP2` does not sanitize IPP attributes when creating the PPD buffer. When used in combination with other functions such as `cfGetPrinterAttributes5`, can result in user controlled input and ultimately code execution via Foomatic. This vulnerability can be part of an exploit chain leading to remote code execution (RCE), as described in CVE-2024-47176.
A security issue was found in OpenPrinting CUPS. The function ppdCreatePPDFromIPP2 in the libppd library is responsible for generating a PostScript Printer Description (PPD) file based on attributes retrieved from an Internet Printing Protocol (IPP) response. Essentially, it takes printer information, usually obtained via IPP, and creates a corresponding PPD file that describes the printer's capabilities (such as supported media sizes, resolutions, color modes, etc.). PPD files are used by printing systems like CUPS (Common Unix Printing System) to communicate with and configure printers. They provide a standardized format that allows different printers to work with the printing system in a consistent way. The ppdCreatePPDFromIPP2 function in libppd doesn't properly check or clean IPP attributes before writing them to a temporary PPD file. This means that a remote attacker, who has control of or has hijacked an exposed printer (through UPD or mDNS), could send a harmful IPP attribute and potentially insert malicious commands into the PPD file.
USN-7041-1 fixed a vulnerability in CUPS. This update provides the corresponding update for Ubuntu 16.04 LTS. Simone Margaritelli discovered that CUPS incorrectly sanitized IPP data when creating PPD files. A remote attacker could possibly use this issue to manipulate PPD files and execute arbitrary code when a printer is used.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2024-09-19 CVE Reserved
- 2024-09-26 CVE Published
- 2024-09-29 CVE Updated
- 2024-11-22 First Exploit
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
- CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CAPEC
References (12)
| URL | Tag | Source |
|---|---|---|
| https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8 | X_refsource_misc | |
| https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47 | X_refsource_misc | |
| https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5 | X_refsource_misc | |
| https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6 | X_refsource_confirm | |
| https://www.cups.org | X_refsource_misc | |
| https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I | X_refsource_misc | |
| https://github.com/RickdeJager/cupshax | ||
| https://github.com/h2g2bob/ipp-server |
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/182767 | 2024-11-22 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2024-47175 | 2025-01-08 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2314256 | 2025-01-08 | |
| https://access.redhat.com/security/vulnerabilities/RHSB-2024-002 | 2025-01-08 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| OpenPrinting Search vendor "OpenPrinting" | Libppd Search vendor "OpenPrinting" for product "Libppd" | <= 2.1 Search vendor "OpenPrinting" for product "Libppd" and version " <= 2.1" | en |
Affected
| ||||||