RHSB-2024-002 - OpenPrinting cups-filters

Executive summary

Red Hat is aware of a group of vulnerabilities identified in OpenPrinting CUPS that affect all versions of Red Hat Enterprise Linux (RHEL). These issues are rated with a severity impact of Important or Moderate. As shipped in RHEL, the provided configuration of the service is vulnerable. However, this service is disabled by default.

CUPS is an open source printing system that provides tools to manage, discover, and share printers. Together, if an attacker were able to use these vulnerabilities, it could potentially lead to remote code execution as the unprivileged ‘lp’ user.

Five CVEs have been assigned: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177, and CVE-2024-47850.

Affected products

Important severity

The following Red Hat products are affected by CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47850:

Updates for all affected products

Moderate severity

The following Red Hat products are affected by CVE-2024-47177:

Updates for all affected products

Check the CVE page for latest updates.

Technical details and background

The circumstances required to successfully exploit these vulnerabilities require certain conditions to be true. An attacker must advertise a malicious Internet Printing Protocol (IPP) service that is accessible by a victim. This can be on the public internet or within an internal trusted network. Advertising on an internal trusted network would require a successful breach of the network, by being resident on another server, or having the ability to be resident with a malicious system, such as a laptop.

To achieve a successful attack, the victim must have the cups-browsed service running, which scans for available printers. This allows an attacker to automatically add a temporary printer definition from a malicious IPP server. At this point, the malicious IPP server can send arbitrary code back to the victim as a part of the printer definition which, when triggered, will execute as the unprivileged ‘lp’ user. The victim must attempt to print from the malicious device to execute the provided code.

Note: while this does permit remote code execution in this scenario, it is limited by the privileges of the ‘lp’ user. The ‘lp’ user cannot execute code as a privileged user or access properly-secured user data.

Important Severity

CVE-2024-47176 cups-browsed

CVE-2024-47076 cups-filters libcupsfilters

CVE-2024-47175 libppd cups cups-filters

CVE-2024-47850 cups-browsed cups-filters 

Moderate Severity

CVE-2024-47177 cups-filters foomatic

Detection

To determine whether or not cups-browsed is running:

$ sudo systemctl status cups-browsed 

If the output to this command indicates that the cups-browsed service is not installed or is inactive, the cups-browsed service is not running and cannot be tricked into connecting to a malicious IPP service.

If systemctl indicates that the service is “running” or “enabled”, examine /etc/cups/cups-browsed.conf and search for the “BrowseRemoteProtocols” directive.  If this directive has the value “cups” in the configuration file, the system is vulnerable.

Vulnerable example: BrowseRemoteProtocols dnssd cups

Mitigation

Until patches are available, the recommended mitigation is to disable cups-browsed. As this impacts printer clients, this is the easiest solution and does not impact the ability to print to already-known printers. This can be done in a few ways.

Disable cups-browsed entirely:

$ sudo systemctl stop cups-browsed 

$ sudo systemctl disable cups-browsed 

If you prefer to keep cups-browsed running to automatically discover printers on your client system, you can prevent the vulnerability by making the following changes to the /etc/cups/cups-browsed.conf configuration file:

Mitigated example: BrowseRemoteProtocols none

And restarting cups-browsed:

$ sudo systemctl restart cups-browsed 

Acknowledgements

Red Hat would like to thank Simone “EvilSocket” Margaritelli for discovering and reporting these vulnerabilities and Till Kamppeter (OpenPrinting) for additional coordination support.