RHSB-2024-002 - OpenPrinting cups-filters
Updated
Was this information helpful?
Was this information helpful?
Red Hat is aware of a group of vulnerabilities identified in OpenPrinting CUPS that affect all versions of Red Hat Enterprise Linux (RHEL). These issues are rated with a severity impact of Important or Moderate. As shipped in RHEL, the provided configuration of the service is vulnerable. However, this service is disabled by default.
CUPS is an open source printing system that provides tools to manage, discover, and share printers. Together, if an attacker were able to use these vulnerabilities, it could potentially lead to remote code execution as the unprivileged ‘lp’ user.
Five CVEs have been assigned: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177, and CVE-2024-47850.
Important severity
The following Red Hat products are affected by CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47850:
Red Hat Enterprise Linux 9 |
Affected - Fixes will be made available for all active streams |
Red Hat Enterprise Linux 8 |
Affected - Fixes will be made available for all active streams |
Red Hat Enterprise Linux 7 |
Affected - Fixes will be made available for all active streams |
Red Hat Enterprise Linux 6 |
Affected - Won’t fix, out of support scope |
Product | Component(s) | Advisory/Update |
Red Hat Enterprise Linux 9 | cups-filters | RHSA-2024:7346 |
Red Hat Enterprise Linux 8 | cups-filters | RHSA-2024:7463 |
Red Hat Enterprise Linux 7 | cups-filters | RHSA-2024:7553 |
Moderate severity
The following Red Hat products are affected by CVE-2024-47177:
Red Hat Enterprise Linux 9 |
Affected - Fixes will be made available for supported streams |
Red Hat Enterprise Linux 8 |
Affected - Fixes will be made available for supported streams |
Red Hat Enterprise Linux 7 |
Affected - Won’t fix, out of support scope |
Red Hat Enterprise Linux 6 |
Affected - Won’t fix, out of support scope |
Check the CVE page for latest updates.
The circumstances required to successfully exploit these vulnerabilities require certain conditions to be true. An attacker must advertise a malicious Internet Printing Protocol (IPP) service that is accessible by a victim. This can be on the public internet or within an internal trusted network. Advertising on an internal trusted network would require a successful breach of the network, by being resident on another server, or having the ability to be resident with a malicious system, such as a laptop.
To achieve a successful attack, the victim must have the cups-browsed service running, which scans for available printers. This allows an attacker to automatically add a temporary printer definition from a malicious IPP server. At this point, the malicious IPP server can send arbitrary code back to the victim as a part of the printer definition which, when triggered, will execute as the unprivileged ‘lp’ user. The victim must attempt to print from the malicious device to execute the provided code.
Note: while this does permit remote code execution in this scenario, it is limited by the privileges of the ‘lp’ user. The ‘lp’ user cannot execute code as a privileged user or access properly-secured user data.
Important Severity
CVE-2024-47176 cups-browsed
CVE-2024-47076 cups-filters libcupsfilters
CVE-2024-47175 libppd cups cups-filters
CVE-2024-47850 cups-browsed cups-filters
Moderate Severity
CVE-2024-47177 cups-filters foomatic
To determine whether or not cups-browsed is running:
$ sudo systemctl status cups-browsed
If the output to this command indicates that the cups-browsed service is not installed or is inactive, the cups-browsed service is not running and cannot be tricked into connecting to a malicious IPP service.
If systemctl indicates that the service is “running” or “enabled”, examine /etc/cups/cups-browsed.conf and search for the “BrowseRemoteProtocols” directive. If this directive has the value “cups” in the configuration file, the system is vulnerable.
Vulnerable example: BrowseRemoteProtocols dnssd cups
Until patches are available, the recommended mitigation is to disable cups-browsed. As this impacts printer clients, this is the easiest solution and does not impact the ability to print to already-known printers. This can be done in a few ways.
Disable cups-browsed entirely:
$ sudo systemctl stop cups-browsed
$ sudo systemctl disable cups-browsed
If you prefer to keep cups-browsed running to automatically discover printers on your client system, you can prevent the vulnerability by making the following changes to the /etc/cups/cups-browsed.conf configuration file:
Mitigated example: BrowseRemoteProtocols none
And restarting cups-browsed:
$ sudo systemctl restart cups-browsed
Red Hat would like to thank Simone “EvilSocket” Margaritelli for discovering and reporting these vulnerabilities and Till Kamppeter (OpenPrinting) for additional coordination support.
Comments