Fix CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177, and CVE-2024-47850 in cups-browsed/libppd/libcupsfilters/cups-filters

[Douglas R. Reno]

This has been quite the situation to read about. There exists a chain of critical security vulnerabilities in cups that can allow for the system to be compromised without any user interaction, and done entirely over the network.

Most of the common mitigations list disabling cups-browsed as an option, but for users of IPP and dnssd printers, that isn't going to work very well. Instead the best approach will be to mitigate that flaw by disabling the legacy CUPS support in cups-browsed, see ​https://gitlab.archlinux.org/archlinux/packaging/packages/cups-browsed/-/blob/4e5ddd505a67a91502381304db11862522178053/CVE-2024-47176.patch (That fixes CVE-2024-47176)

The mitigation that is mentioned, where you just disable cups-browsed, is inadequate because of two other security vulnerabilities that could still be exploited anyway through IPP.

Here's the initial email from Rainer this morning:

---

There seem to be vulnerabilities in CUPS that make some waves. [1][2][3]

Any SA planned?

Rainer

--
[1]
https://www.theregister.com/2024/09/26/cups_linux_rce_disclosed/?td=rt-3a

[2] https://access.redhat.com/security/vulnerabilities/RHSB-2024-002

[3]
https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

---

Ken's response:

The vulnerability is not in cups itself, but in cups-browsed.
Howeve the reporter escalated it to say it could be combined with
other vulnerabilities in cups to gain information leak and remote
execution.

As Vulture Central (your first link aove) suggested - simply disable
cups-browsed.

Threads on oss-security start at
https://www.openwall.com/lists/oss-security/2024/09/26/5

Full list of responses is at 
https://www.openwall.com/lists/oss-security/2024/09/

For cups browsed see the link Alan Coopersmit pointed to
https://github.com/OpenPrinting/cups-browsed/commit/1debe6b140c

Meanwhile, I suppose

For cups itself, see attachment for v2.4.10 in
https://www.openwall.com/lists/oss-security/2024/09/27/3

ĸen

My response:

Ouch. Thank you for bringing this up, I'll file a ticket and see what we can do. The Red Hat advisory mentions that no patches are available yet, but I did find a few at Arch and GitHub that we can apply. There are enough critical security issues that have been fixed over the past week or so (and still to be fixed in the book) that I'm going to send a separate mail to the lists advising users on what to do about them, especially since most of the updates which have been done need other actions to be taken at the same time to take effect.

These look quite serious in some use cases, such as when a user is running public WiFi. RCE without any user interaction is nasty. Not all users can disable cups-browsed, and disabling cups-browsed doesn't resolve the issues with IPP and foomatic which could still get exploited anyway outside of the chain.

Here's some more details

CVE-2024-47176 (8.3 High - cups-browsed): Multiple bugs leading to info leak and remote code execution (has a public proof of concept) - ​https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8

CVE-2024-47076 (8.6 High - libcupsfilters): cfGetPrinterAttributes5 does not validate IPP attributes returned from an IPP server - ​https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5/ (Part of the exploit chain for CVE-2024-47176)

CVE-2024-47175 (8.6 High - libppd): ppdCreatePPDFromIPP2 does not sanitize IPP attributes when creating the PPD buffer - ​https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6 (Part of the exploit chain for CVE-2024-47176)

CVE-2024-47177 (9.0 Critical - cups-filters): Command injection via FoomaticRIPCommandLine - ​https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47 (proof of concept available as well)

We'll apply the following patches to fix these:

​https://gitlab.archlinux.org/archlinux/packaging/packages/libcupsfilters/-/blob/8adeef368dbb1baa936383a37d8ee1040325665f/CVE-2024-47076.patch (libcupsfilters)

​https://gitlab.archlinux.org/archlinux/packaging/packages/cups-browsed/-/blob/4e5ddd505a67a91502381304db11862522178053/CVE-2024-47176.patch (cups-browsed, disables cups browsing by default but lets dnssd work still)

​https://github.com/OpenPrinting/libppd/commit/d681747ebf12602cb426725eb8ce2753211e2477 (libppd, fixes CVE-2024-47175)

No fix has been made for CVE-2024-47177 at this time. It's worth noting that another vulnerability was found in cups-filters as well, see ​https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-rq86-c7g6-r2h8 (though once we fix CVE-2024-47176, this won't apply anymore)

---

There are now proof of concept exploits for the others in the chain that operate separately of cups-browsed.

[Douglas R. Reno]

We now have an additional issue - a DDoS/amplification attack against cups-browsed:

CVE-2024-47850: cups-browsed can be made to endlessly spam HTTP requests to a chosen endpoint (7.5 High)

More details about that can be found at ​https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-rq86-c7g6-r2h8 and ​https://seclists.org/oss-sec/2024/q4/4

[Douglas R. Reno]

Fixed at 23dd5249ed21c2bc2bf4cc55acaa273303d8a619

[Douglas R. Reno]

SA-12.2-022 issued