CVE vulnerabilities announced for CUPS

bonnietwin · 27 September 2024 10:52

There has been an announcement of several linked CVE vulnerabilities for CUPS.

CVE-2024-47076 (libcupsfilters)
CVE-2024-47175 (libppd)
CVE-2024-47176 (cups-browsed)
CVE-2024-47177 (cups-filters)

https://www.tenable.com/blog/cve-2024-47076-cve-2024-47175-cve-2024-47176-cve-2024-47177-faq-cups-vulnerabilities

The exploitation of the vulnerability requires a chained combination of the packages linked to each CVE.

IPFire does not have libppd installed or available.

Currently there are no fix patches available for these CVE’s…

The mitigation for the vulnerability is the following.

If you have opened port 631 to the internet, then close it. This is good security practice anyway as the protocol using that port is not authenticated and should not really be opened up to the wider internet.
With the port closed then any attacker would have to have access directly on your local lan to be able to attempt the attack.
By default cups-browsed is not turned on, although it is installed. If you have turned cups-browsed on then turn it off.
Run the command /etc/rc.d/init.d/cups-browsed status to see if it is running or not.
Then delete the cups-browsed binary at
/usr/sbin/cups-browsed
Don’t print to an unknown printer that appears in the list of printers available. The vulnerability requires a user to select the printer that has been created.

I will submit a patch that removes the cups-browsed binary from the rootfile list of installed programs.

As soon as fix patches are provided they will be updated in IPFire.

dr_techno · 27 September 2024 14:44

Cups, Samba and Dbus are services I don’t recommend running on IPfire. These packages are purposely removed from Linux web hosting servers because of the potential security exploits.

tphz · 27 September 2024 20:25

Additional information

dr_techno · 14 November 2024 05:11

Some don’t realise that cups is the generic print system. I haven’t ran cups since the dot matrix printer days. I use HP printers, so I have HPLIP installed instead of CUPS. But yes, I find it interesting that even today its still installed by default.

ms · 14 November 2024 12:14

CUPS is not installed by default on IPFire. It is an add-on and can be installed on its own or as a dependency of Samba.

dr_techno · 14 November 2024 22:30

You don’t need Avahi with Samba either because ipfire has a name server.

I don’t know why samba would need cups anyways because they are two different things.

But I think putting any file share system on a router is a dumb idea.