Several critical vulnerabilities for UNIX systems targeting the CUPS server were discovered and disclosed today. The researcher who discovered them published a technical report at https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/
The vulnerabilities are listed below:
- CVE-2024-47176 | cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker controlled URL.
- CVE-2024-47076 | libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker controlled data to the rest of the CUPS system.
- CVE-2024-47175 | libppd <= 2.1b1 ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker controlled data in the resulting PPD.
- CVE-2024-47177 | cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter.
The impact is very high because a possible attacker can replace a printer resulting in arbitrary remote command execution (RCE).
Are Bitnami applications affected? Are Tanzu Application Catalog applications affected? No.
No applications packaged by Bitnami or our enterprise version VMware Tanzu Application Catalog are affected: none of our containers, Helm charts, OVAs or Cloud Images ship the CUPS server or packages. For OVAs and Cloud Images, even the server is not installed by default, the firewall does not expose the CUPS default port.