cbcvebase.
CVE-2023-24805
published 2023-05-17

CVE-2023-24805: cups-filters contains backends, filters, and other software required to get the cups printing service working on operating systems other than macos. If you use…

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
3.70%
88.3th percentile
cups-filters contains backends, filters, and other software required to get the cups printing service working on operating systems other than macos. If you use the Backend Error Handler (beh) to create an accessible network printer, this security vulnerability can cause remote code execution. `beh.c` contains the line `retval = system(cmdline) >> 8;` which calls the `system` command with the operand `cmdline`. `cmdline` contains multiple user controlled, unsanitized values. As a result an attacker with network access to the hosted print server can exploit this vulnerability to inject system commands which are executed in the context of the running server. This issue has been addressed in commit `8f2740357` and is expected to be bundled in the next release. Users are advised to upgrade when possible and to restrict access to network printers in the meantime.

Affected

12 ranges
VendorProductVersion rangeFixed in
debiancups-filters< cups-filters 1.28.17-3 (bookworm)cups-filters 1.28.17-3 (bookworm)
debiandebian_linux
debiandebian_linux
fedoraprojectfedora
fedoraprojectfedora
linuxfoundationcups-filters< 2.02.0
linuxfoundationcups-filters
linuxfoundationcups-filters>= 0 < 1.28.7-1+deb11u21.28.7-1+deb11u2
linuxfoundationcups-filters>= 0 < 1.28.17-31.28.17-3
linuxfoundationcups-filters>= 0 < 1.28.17-31.28.17-3
linuxfoundationcups-filters>= 0 < 1.28.17-31.28.17-3
openprintingcups-filters<= 2.0rc1

Detection & IOCsextracted from sources · hover to see the quote

pathbeh.c
  • Monitor for unsanitized user-controlled input being passed to system() via the beh (Backend Error Handler) CUPS backend, which can allow injection of arbitrary OS commands executed in the context of the print server process.
  • Alert on specially crafted network traffic targeting the CUPS beh backend that causes the backend to stop responding or execute arbitrary code.
  • The fix is in commit 8f2740357; compare running cups-filters binaries/source against this commit to identify unpatched instances.
  • ·The vulnerability is only exploitable if the beh (Backend Error Handler) backend is used to create an accessible (network-exposed) printer. Installations not using beh or not exposing the print server to the network are not at risk.
  • ·Red Hat Enterprise Linux 7 is listed as Not Affected for this CVE.
  • ·Debian scopes this as 'local' despite the upstream advisory describing network-based exploitation; verify exposure model for your environment.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.