Linux RCE Exploited in the Wild via CUPS Print Scheduler Before Disclosure

Posted on Edited on

Quick Report

A high profile vulnerability with a CVSS score of 9.9 by RHEL and Canonical affecting widely used print server installed by default on many Linux and UNIX systems. The exploit discovered is a remote code execution vulnerability in the CUPS Print Scheduler allows attackers to run arbitrary code on the system without any user interaction required.

Summary of the vulnerability:

CVE-2024-47176 | cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker controlled URL.
CVE-2024-47076 | libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker controlled data to the rest of the CUPS system.
CVE-2024-47175 | libppd <= 2.1b1 ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker controlled data in the resulting PPD.
CVE-2024-47177 | cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter.

Source(s)

  • TPU
  • Evil Socket
  • Github Gist
  • Shodan.io