cbcvebase.
CVE-2024-47076
published 2024-09-26

CVE-2024-47076: CUPS is a standards-based, open-source printing system, and `libcupsfilters` contains the code of the filters of the former `cups-filters` package as library…

PriorityP277high8.6CVSS 3.1
AVNACLPRNUINSCCNIHAN
EXPLOIT
EPSS
83.44%
99.6th percentile
CUPS is a standards-based, open-source printing system, and `libcupsfilters` contains the code of the filters of the former `cups-filters` package as library functions to be used for the data format conversion tasks needed in Printer Applications. The `cfGetPrinterAttributes5` function in `libcupsfilters` does not sanitize IPP attributes returned from an IPP server. When these IPP attributes are used, for instance, to generate a PPD file, this can lead to attacker controlled data to be provided to the rest of the CUPS system.

Affected

30 ranges· showing 25
VendorProductVersion rangeFixed in
debiancups-filters< cups-filters 1.28.17-3+deb12u1 (bookworm)cups-filters 1.28.17-3+deb12u1 (bookworm)
debianlibcupsfilters< cups-filters 1.28.17-3+deb12u1 (bookworm)cups-filters 1.28.17-3+deb12u1 (bookworm)
googlechrome_chrome
linuxfoundationcups-filters>= 0 < 1.28.7-1+deb11u31.28.7-1+deb11u3
linuxfoundationcups-filters>= 0 < 1.28.17-3+deb12u11.28.17-3+deb12u1
linuxfoundationcups-filters>= 0 < 1.28.17-51.28.17-5
linuxfoundationcups-filters>= 0 < 1.28.17-51.28.17-5
linuxfoundationcups-filters>= 0 < 1.27.4-1ubuntu0.41.27.4-1ubuntu0.4
linuxfoundationcups-filters>= 0 < 1.27.4-1ubuntu0.31.27.4-1ubuntu0.3
linuxfoundationcups-filters>= 0 < 1.28.15-0ubuntu1.41.28.15-0ubuntu1.4
linuxfoundationcups-filters>= 0 < 1.28.15-0ubuntu1.31.28.15-0ubuntu1.3
openprintingcups< 2.4.132.4.13
openprintingcups-browsed<= 2.0.1
openprintingcups-browsed
openprintinglibcupsfilters<= 2.0.0
openprintinglibcupsfilters
openprintinglibcupsfilters>= 0 < 2.0.0-32.0.0-3
openprintinglibcupsfilters>= 0 < 2.0.0-32.0.0-3
paloaltocloud_ngfw
paloaltocortex_xdr
paloaltocortex_xdr_agent
paloaltocortex_xsiam
paloaltocortex_xsoar
paloaltoglobalprotect_app
paloaltopan-os

Detection & IOCsextracted from sources · hover to see the quote

portUDP/631
ip194.113.74.187
ip195.228.75.121
ip107.170.78.108
ip107.170.72.202
ip172.234.96.249
ip192.34.63.88
ip143.244.47.70
ip104.152.52.220
path/tmp/
processfoomatic-rip
sigma
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name == "foomatic-rip" and process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not process.command_line like ("*/tmp/foomatic-*", "*-sDEVICE=ps2write*")
sigma
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and user.name == "lp" and process.parent.name in ("cupsd", "foomatic-rip", "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not process.command_line like ("*/tmp/foomatic-*", "*-sDEVICE=ps2write*")
  • Monitor for foomatic-rip spawning any shell process (bash, dash, sh, tcsh, csh, zsh, ksh, fish) on Linux — this is highly uncommon in legitimate print operations and is a strong indicator of CVE-2024-47076/47177 exploitation.
  • Alert on any process execution by the `lp` user that spawns a shell; the lp user is the default printing group and will be the execution context for arbitrary commands injected via FoomaticRIPCommandLine.
  • Detect file writes to /tmp/ by the `lp` user, as PoC exploits commonly write payloads there as a first-stage indicator.
  • Monitor for outbound network connections initiated by child processes of foomatic-rip, as legitimate print operations do not establish outbound connections.
  • Watch for unsolicited inbound UDP traffic on port 631 from external/untrusted sources — this is the initial attack vector used to trigger cups-browsed into issuing a Get-Printer-Attributes IPP request to an attacker-controlled URL.
  • The FoomaticRIPCommandLine PPD parameter is the injection point for arbitrary command execution; inspect PPD files written to disk for the presence of this directive with unexpected or encoded command strings.
  • ·CVE-2024-47076 specifically affects libcupsfilters ≤ 2.1b1; the function cfGetPrinterAttributes5 is the vulnerable code path that fails to validate/sanitize IPP attributes returned from an IPP server, allowing attacker-controlled data to flow into the rest of the CUPS system.
  • ·Exploitation of CVE-2024-47076 alone is insufficient for RCE; it must be chained with CVE-2024-47176 (cups-browsed UDP trust), CVE-2024-47175 (libppd PPD injection), and CVE-2024-47177 (foomatic-rip command execution) to achieve full remote code execution.
  • ·Exploitation requires user interaction (initiating a print job to the malicious printer) after the fake printer is installed; fully automated RCE without any user action is not part of the currently disclosed exploitation method.
  • ·The lp user does not have a login shell by default, which prevents interactive reverse shells via the standard technique, though creative tactics can still achieve this.
  • ·In BrowseRemoteProtocols, changing the value from the default 'dnssd cups' to 'dnssd' (removing 'cups') in /etc/cups/cups-browsed.conf mitigates the cups-browsed attack vector without fully disabling the service.

CVSS provenance

nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
osv8.6HIGH
vendor_debian8.6HIGH
vendor_redhat8.6HIGH
vendor_ubuntu8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.