[Shy_Guy]

Has anyone heard if this is legit or not yet?

https://www.theregister.com/2024/09/26/u...bug_linux/

[Shy_Guy]

Here is the update I have on this if anyone else is interested:

CUPS may use "filters", executables that can be used to convert documents. The part responsible ("cups-filters") accepts unverified data that may then be executed as part of a filter operation. An attacker can use this vulnerability to inject a malicious "printer". The malicious code is triggered once a user uses this printer to print a document. This has little or no impact if CUPS is not listening on port 631, and the system is not used to print documents (like most servers). An attacker may, however, be able to trigger the print operation remotely. On the local network, this is exploitable via DNS service discovery. A proof of concept exploit has been made available.

There is no patch right now. Disable and remove cups-browserd (you probably do not need it anyway). Update CUPS as updates become available. Stop UDP traffic on Port 631.

For a lot more details, see: https://www.evilsocket.net/2024/09/26/At...PS-Part-I/
The Vulnerabilities

CVE-2024-47176

This is a vulnerability in cups-browsed (up to version 2.0.1). This daemon listens for UDP packets on port 631. cups-browsed uses DNS service discovery to automatically discover printers and make them available to the user. As part of the exchange with printers, it will receive various URLs that it may use to retrieve additional information. These URLs are not properly validated, allowing attackers to trick cups-browsed to request arbitrary URLs.

CVE-2024-47076

libcupsfilters (up to version 2.1b1) replaces an older filter-architecture. It could be used to modify ("filter") files to adjust formats to make them printable on a specific printer. Like the prior issue, it is subject to the attacker providing malicious data that will be passed to other CUPS components.

CVE-2024-47115

libppd (up to version 2.1b1) also does not validate IPP attributes and adds them to the PPD file that is then passed to drivers and other components.

CVE-2024-47177

cups-filters (2.0.1) is the part that will allow the arbitrary command execution triggered by invalid PPD parameters. cups-filters execute external code ("filters") to convert files. Accepting data from unverified external sources, arbitrary code may be executed. In particular, the "foomatic-rip" filter allows the attacker to provide an arbitrary command line.

[miyako]

it's real, and it's been posted already,
either way nice thread!

[6af29f231b1c33f1]

yes scary bug, dangerous

[joepa]

https://github.com/RickdeJager/cupshax

[Shy_Guy]

cupshax looks cool joepa!

[GabeX]

That's crazy, gonna read through this.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.