Skip to main content
Published on September 27, 2024
CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177. Four flaws in CUPS and cups-browsed. RCE is not instant — it requires a user to print to the booby-trapped printer — but the surface is wide: any Linux server with cups-browsed enabled and port 631/UDP reachable is a candidate.

Why the perimeter is narrower than the headlines suggested

When this CVE bundle was disclosed, the headlines screamed “9.9 out of 10” and “critical Linux vulnerability”. The reality is more nuanced:
  1. The flaw is not exploitable without cups-browsed running.
  2. cups-browsed is not installed by default on most production servers (it is a desktop-environment dependency, not a web-server one).
  3. Even with cups-browsed running, RCE only fires when a user prints to the malicious printer.
That said, the risk does exist on machines that match the profile — Linux workstations, some development environments, containers built on “desktop” images — and exploitation is trivial once those conditions are met.

The attack chain

CUPS listens on 631/UDP when cups-browsed is active. The attacker sends an IPP (Internet Printing Protocol) packet announcing a remote printer. cups-browsed automatically registers it on the target server. From that point, the printer shows up in the system’s printer list. When a user prints to that printer (by mistake, by confusing it with a legitimate one, or because its name imitates a real printer), CUPS builds a print command from the IPP attributes the attacker provided. Some of those attributes are not validated: they can contain shell commands that get executed with the rights of the CUPS daemon.

Are you affected?

Check two things on each host: 
# 1. Is cups-browsed running?
systemctl is-active cups-browsed

# 2. What versions of CUPS / cups-filters are you running?
cups-config --version
cups-browsed --version
Vulnerable versions:
  • cups-browsed ≤ 2.0.1
  • cups-filters ≤ 2.0.1
  • libcupsfilters ≤ 2.1b1
  • libppd ≤ 2.1b1

Mitigation

Clean fix: disable cups-browsed if you do not need it

On a server, this is almost always the right move: 
sudo systemctl disable --now cups-browsed

Middle ground: restrict discovery

If cups-browsed must stay active, disable automatic discovery of remote printers through BrowseRemoteProtocols. Edit /etc/cups/cups-browsed.conf: 
BrowseRemoteProtocols none
(Default value: dnssd cups.) Then: 
sudo systemctl restart cups-browsed

Network layer

Block 631/UDP on the firewall from the internet and from any shared, untrusted network.

Patching

Track the patch status through your distribution:
  • Ubuntu: follow the Ubuntu Security tracker for cups-filters.
  • Debian: apt list --upgradable | grep -i cups.
  • RHEL/AlmaLinux: dnf check-update cups\*.

Wrap-up

On a typical production server (web, database, cache), you are probably unaffected. On a Linux workstation or a desktop-style container, check cups-browsed, disable it if you can, patch otherwise. For questions, open a ticket from your OnetSolutions client area.