CVE-2024-47176: 
Rocky Linux Schwachstellenanalyse und -minderung

CUPS is a standards-based, open-source printing system, and cups-browsed contains network printing functionality including auto-discovering print services and shared printers. A critical vulnerability (CVE-2024-47176) was discovered in cups-browsed <= 2.0.1, where the service binds to INADDR_ANY:631, causing it to trust any packet from any source, and can trigger a Get-Printer-Attributes IPP request to an attacker-controlled URL. When combined with other vulnerabilities (CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177), this enables remote code execution without authentication (NVD, GitHub Advisory).

The vulnerability chain involves multiple components: First, cups-browsed binds to UDP port 631 on all interfaces, accepting packets from any source. When receiving a specially crafted UDP packet, it triggers a connection to an attacker-controlled IPP server. The libcupsfilters component (CVE-2024-47076) fails to validate IPP attributes returned from the server. The libppd component (CVE-2024-47175) does not sanitize these attributes when creating PPD files. Finally, the cups-filters component (CVE-2024-47177) allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter. The CVSS v3.1 base score is 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (GitHub Advisory).

An attacker can silently replace existing printers or install new ones with malicious configurations, resulting in arbitrary command execution when a print job is started. The vulnerability affects most UNIX systems including various Linux distributions, some BSDs, Google Chromium/ChromeOS, and Oracle Solaris. The issue is particularly concerning as it can be exploited from the public internet, potentially exposing numerous systems to remote attacks if their CUPS services are enabled (EvilSocket Blog).

The primary mitigation steps include: 1) Disable and remove the cups-browsed service if not needed, 2) Update the CUPS package on affected systems, 3) If the system cannot be updated and the service is required, block all traffic to UDP port 631 and possibly all DNS-SD traffic. For maximum security, consider removing all CUPS services, binaries, and libraries from systems that don't require printing capabilities (EvilSocket Blog, Red Hat Blog).

The vulnerability disclosure process for this issue was notably challenging, taking 22 days from initial report to public disclosure. The CUPS developers acknowledged the severity of the issue but noted the complexity of fixing certain components, particularly the FoomaticRIPCommandLine functionality, due to backward compatibility requirements with hundreds of older printer models (EvilSocket Blog).