> ## Documentation Index
> Fetch the complete documentation index at: https://help.onetsolutions.net/llms.txt
> Use this file to discover all available pages before exploring further.

# CUPS: Remote Code Execution via cups-browsed (CVE-2024-47076 and friends)

> Four chained CUPS flaws let an attacker register a malicious printer and gain RCE when a user prints to it.

*Published on September 27, 2024*

<Warning>
  **CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177.** Four flaws in CUPS and `cups-browsed`. RCE is not instant — it requires a user to print to the booby-trapped printer — but the surface is wide: any Linux server with `cups-browsed` enabled and port `631/UDP` reachable is a candidate.
</Warning>

## Why the perimeter is narrower than the headlines suggested

When this CVE bundle was disclosed, the headlines screamed "9.9 out of 10" and "critical Linux vulnerability". The reality is more nuanced:

1. The flaw is not exploitable without `cups-browsed` running.
2. `cups-browsed` is not installed by default on most production servers (it is a desktop-environment dependency, not a web-server one).
3. Even with `cups-browsed` running, **RCE only fires when a user prints to the malicious printer**.

That said, the risk does exist on machines that match the profile — Linux workstations, some development environments, containers built on "desktop" images — and exploitation is trivial once those conditions are met.

## The attack chain

CUPS listens on `631/UDP` when `cups-browsed` is active. The attacker sends an IPP (Internet Printing Protocol) packet announcing a remote printer. `cups-browsed` **automatically registers it** on the target server. From that point, the printer shows up in the system's printer list.

When a user prints to that printer (by mistake, by confusing it with a legitimate one, or because its name imitates a real printer), CUPS builds a print command from the IPP attributes the attacker provided. Some of those attributes are not validated: they can contain shell commands that get executed with the rights of the CUPS daemon.

## Are you affected?

Check two things on each host:

```bash theme={null}
# 1. Is cups-browsed running?
systemctl is-active cups-browsed

# 2. What versions of CUPS / cups-filters are you running?
cups-config --version
cups-browsed --version
```

Vulnerable versions:

* `cups-browsed` ≤ 2.0.1
* `cups-filters` ≤ 2.0.1
* `libcupsfilters` ≤ 2.1b1
* `libppd` ≤ 2.1b1

## Mitigation

### Clean fix: disable cups-browsed if you do not need it

On a server, this is almost always the right move:

```bash theme={null}
sudo systemctl disable --now cups-browsed
```

### Middle ground: restrict discovery

If `cups-browsed` must stay active, disable automatic discovery of remote printers through `BrowseRemoteProtocols`.

Edit `/etc/cups/cups-browsed.conf`:

```text theme={null}
BrowseRemoteProtocols none
```

(Default value: `dnssd cups`.)

Then:

```bash theme={null}
sudo systemctl restart cups-browsed
```

### Network layer

Block `631/UDP` on the firewall from the internet and from any shared, untrusted network.

## Patching

Track the patch status through your distribution:

* Ubuntu: follow the Ubuntu Security tracker for `cups-filters`.
* Debian: `apt list --upgradable | grep -i cups`.
* RHEL/AlmaLinux: `dnf check-update cups\*`.

## Wrap-up

On a typical production server (web, database, cache), you are probably unaffected. On a Linux workstation or a desktop-style container, check `cups-browsed`, disable it if you can, patch otherwise.

For questions, open a ticket from your [OnetSolutions client area](https://onetsolutions.net).
