{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2024-103.pdf"
    },
    "title": "Critical Vulnerabilities in CUPS",
    "serial_number": "2024-103",
    "publish_date": "12-12-2024 10:28:44",
    "description": "On September 26, 2024, a security researched released a blog post describing several vulnerabilities in CUPS, one of which being critical, allowing an attacker to replace existing printers' IPP URLs with a malicious one, resulting in a potential arbitrary command execution.<br>\n",
    "url_title": "2024-103",
    "content_markdown": "---\ntitle: 'Critical Vulnerabilities in CUPS'\nnumber: '2024-103'\nversion: '1.0'\noriginal_date: 'September 26, 2024'\ndate: 'September 27, 2024'\n---\n\n_History:_\n\n* _27/09/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn September 26, 2024, a security researched released a blog post describing several vulnerabilities in CUPS, one of which being critical, allowing an attacker to replace existing printers' IPP URLs with a malicious one, resulting in a potential arbitrary command execution [1].\n\n# Technical details\n\nBy chaining the vulnerabilities (**CVE-2024-47076**, **CVE-2024-47175**, **CVE-2024-47176** and **CVE-2024-47177**) together, an attacker could potentially achieve remote code execution [1].\n\nExploitation of these vulnerabilities is possible through the following chain of events:\n\n1. The `cups-browsed` service has been enabled or started.\n2. An attacker has access to a vulnerable server, which:\n    - allows unrestricted access, such as the public internet, or\n    - gains access to an internal network where local connections are trusted.\n3. Attacker advertises a malicious IPP server, thereby provisioning a malicious printer.\n4. A potential victim attempts to print using the malicious device.\n5. Attempted printing allows the attacker to execute arbitrary code on the victim\u2019s machine.\n\n# Affected products\n\nThis group of vulnerabilities affects most of the Linux systems.\n\nYou can determine if `cups-browsed` is running by running the following command:\n\n```\nsudo systemctl status cups-browsed\n```\n\n# Recommendations\n\nCERT-EU recommends reviewing and applying the patches from Linux distribution security bulletins, including but not limited to:\n\n- Ubuntu [2]\n- RedHat [3]\n\nCERT-EU also recommends to disable the `cups-browsed` service in any environment where printing is not needed, or patches are not yet available, using the following commands:\n\n```\nsudo systemctl stop cups-browsed\nsudo systemctl disable cups-browsed\n```\n\n# References\n\n[1] <https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/>\n\n[2] <https://ubuntu.com/security/notices/USN-7042-1>\n\n[3] <https://www.redhat.com/en/blog/red-hat-response-openprinting-cups-vulnerabilities>",
    "content_html": "<p><em>History:</em></p><ul><li><em>27/09/2024 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On September 26, 2024, a security researched released a blog post describing several vulnerabilities in CUPS, one of which being critical, allowing an attacker to replace existing printers' IPP URLs with a malicious one, resulting in a potential arbitrary command execution [1].</p><h2 id=\"technical-details\">Technical details</h2><p>By chaining the vulnerabilities (<strong>CVE-2024-47076</strong>, <strong>CVE-2024-47175</strong>, <strong>CVE-2024-47176</strong> and <strong>CVE-2024-47177</strong>) together, an attacker could potentially achieve remote code execution [1].</p><p>Exploitation of these vulnerabilities is possible through the following chain of events:</p><ol><li>The <code>cups-browsed</code> service has been enabled or started.</li><li>An attacker has access to a vulnerable server, which: <ul><li>allows unrestricted access, such as the public internet, or</li><li>gains access to an internal network where local connections are trusted.</li></ul></li><li>Attacker advertises a malicious IPP server, thereby provisioning a malicious printer.</li><li>A potential victim attempts to print using the malicious device.</li><li>Attempted printing allows the attacker to execute arbitrary code on the victim\u2019s machine.</li></ol><h2 id=\"affected-products\">Affected products</h2><p>This group of vulnerabilities affects most of the Linux systems.</p><p>You can determine if <code>cups-browsed</code> is running by running the following command:</p><pre><code>sudo systemctl status cups-browsed\n</code></pre><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU recommends reviewing and applying the patches from Linux distribution security bulletins, including but not limited to:</p><ul><li>Ubuntu [2]</li><li>RedHat [3]</li></ul><p>CERT-EU also recommends to disable the <code>cups-browsed</code> service in any environment where printing is not needed, or patches are not yet available, using the following commands:</p><pre><code>sudo systemctl stop cups-browsed\nsudo systemctl disable cups-browsed\n</code></pre><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/\">https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://ubuntu.com/security/notices/USN-7042-1\">https://ubuntu.com/security/notices/USN-7042-1</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.redhat.com/en/blog/red-hat-response-openprinting-cups-vulnerabilities\">https://www.redhat.com/en/blog/red-hat-response-openprinting-cups-vulnerabilities</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}