Red Hat’s response to OpenPrinting CUPS vulnerabilities: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177

TL;DR: All versions of Red Hat Enterprise Linux (RHEL) are affected by CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177, but are not vulnerable in their default configurations.

Red Hat has been made aware of a group of vulnerabilities (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177) within OpenPrinting CUPS, an open source printing system that is prevalent in most modern Linux distributions, including RHEL. Specifically, CUPS provides tools to manage, discover and share printers for Linux distributions. By chaining this group of vulnerabilities together, an attacker could potentially achieve remote code execution which could then lead to theft of sensitive data and/or damage to critical production systems.

Red Hat rates these issues with a severity impact of Important. While all versions of RHEL are affected, it is important to note that affected packages are not vulnerable in their default configuration. At this time, there are four CVEs assigned to these vulnerabilities, but the exact number is still being coordinated with the upstream community and the researcher who discovered the problem.

Exploitation

Exploitation of these vulnerabilities is possible through the following chain of events:

1. The cups-browsed service has manually been enabled or started
2. An attacker has access to a vulnerable server, which :
   1. Allows unrestricted access, such as the public internet, or
   2. Gains access to an internal network where local connections are trusted
3. Attacker advertises a malicious IPP server, thereby provisioning a malicious printer
4. A potential victim attempts to print from the malicious device
5. Attacker executes arbitrary code on victim’s machine

Detection

Red Hat customers should use the following command to determine if cups-browsed is running:

$ sudo systemctl status cups-browsed

If the result includes “Active: inactive (dead)” then the exploit chain is halted and the system is not vulnerable

If the result is “running” or “enabled,”and the “BrowseRemoteProtocols” directive contains the value “cups” in the configuration file /etc/cups/cups-browsed.conf, then the system is vulnerable.

Mitigation

Mitigation of these vulnerabilities is as simple as running two commands, especially in any environment where printing is not needed.

To stop a running cups-browsed service, an administrator should use the following command:

$ sudo  systemctl stop cups-browsed

The cups-browsed service can also be prevented from starting on reboot with:

$ sudo systemctl disable cups-browsed

Red Hat and the broader Linux community are currently working on patches to address these issues as well.

Acknowledgements

Red Hat would like to thank Simone “EvilSocket” Margaritelli for discovering and reporting these vulnerabilities and Till Kamppeter (OpenPrinting) for additional coordination support.

For more information

Read the Red Hat Security Bulletin on these vulnerabilities