CVE-2024-47176
cups-browsed binds to `INADDR_ANY:631`, trusting any packet from any source
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
6Exploited in Wild
-Decision
Descriptions
CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP request to an attacker controlled URL.
Due to the service binding to `*:631 ( INADDR_ANY )`, multiple bugs in `cups-browsed` can be exploited in sequence to introduce a malicious printer to the system. This chain of exploits ultimately enables an attacker to execute arbitrary commands remotely on the target machine without authentication when a print job is started. This poses a significant security risk over the network. Notably, this vulnerability is particularly concerning as it can be exploited from the public internet, potentially exposing a vast number of systems to remote attacks if their CUPS services are enabled.
CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to.
A security issue was found in OpenPrinting CUPS.
The function ppdCreatePPDFromIPP2 in the libppd library is responsible for generating a PostScript Printer Description (PPD) file based on attributes retrieved from an Internet Printing Protocol (IPP) response. Essentially, it takes printer information, usually obtained via IPP, and creates a corresponding PPD file that describes the printer's capabilities (such as supported media sizes, resolutions, color modes, etc.).
PPD files are used by printing systems like CUPS (Common Unix Printing System) to communicate with and configure printers. They provide a standardized format that allows different printers to work with the printing system in a consistent way.
A security issue was discovered in OpenPrinting CUPS. The `cups-browsed` component is responsible for discovering printers on a network and adding them to the system. In order to do so, the service uses two distinct protocols. For the first one, the service binds on all interfaces on UDP port 631 and accepts a custom packet from any untrusted source. This is exploitable from outside the LAN if the computer is exposed on the public internet. The service also listens for DNS-SD / mDNS advertisements trough AVAHI. In both cases, when a printer is discovered by either the UDP packet or mDNS, its IPP or IPPS url is automatically contacted by cups-browsed and a `Get-Printer-Attributes` request is sent to it which can leak potentially sensitive system information to an attacker via the User-Agent header.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2024-09-19 CVE Reserved
- 2024-09-26 CVE Published
- 2024-09-27 First Exploit
- 2024-09-29 EPSS Updated
- 2024-10-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
- CWE-749: Exposed Dangerous Method or Function
- CWE-940: Improper Verification of Source of a Communication Channel
- CWE-1327: Binding to an Unrestricted IP Address
CAPEC
References (15)
| URL | Tag | Source |
|---|---|---|
| https://github.com/OpenPrinting/cups-browsed/blob/master/daemon/cups-browsed.c#L13992 | X_refsource_misc | |
| https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8 | X_refsource_confirm | |
| https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47 | X_refsource_misc | |
| https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5 | X_refsource_misc | |
| https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6 | X_refsource_misc | |
| https://www.cups.org | X_refsource_misc | |
| https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I | X_refsource_misc |
| URL | Date | SRC |
|---|---|---|
| https://github.com/pearlmansara/CVE-2024-47176-CUPS | 2024-10-02 | |
| https://github.com/workabhiwin09/CVE-2024-47176 | 2024-09-27 | |
| https://github.com/tonyarris/CVE-2024-47176-Scanner | 2024-09-27 | |
| https://github.com/mr-r3b00t/CVE-2024-47176 | 2024-09-29 | |
| https://github.com/aytackalinci/CVE-2024-47176 | 2024-09-28 | |
| https://github.com/nma-io/CVE-2024-47176 | 2024-09-29 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2024-47176 | 2024-10-03 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2314252 | 2024-10-03 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| OpenPrinting Search vendor "OpenPrinting" | Cups-browsed Search vendor "OpenPrinting" for product "Cups-browsed" | <= 2.0.1 Search vendor "OpenPrinting" for product "Cups-browsed" and version " <= 2.0.1" | en |
Affected
| ||||||