CVE-2024-47076
published 2024-09-26CVE-2024-47076: CUPS is a standards-based, open-source printing system, and `libcupsfilters` contains the code of the filters of the former `cups-filters` package as library…
PriorityP277high8.6CVSS 3.1
AVNACLPRNUINSCCNIHAN
EXPLOIT
EPSS
83.44%
99.6th percentile
CUPS is a standards-based, open-source printing system, and `libcupsfilters` contains the code of the filters of the former `cups-filters` package as library functions to be used for the data format conversion tasks needed in Printer Applications. The `cfGetPrinterAttributes5` function in `libcupsfilters` does not sanitize IPP attributes returned from an IPP server. When these IPP attributes are used, for instance, to generate a PPD file, this can lead to attacker controlled data to be provided to the rest of the CUPS system.
Affected
30 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | cups-filters | < cups-filters 1.28.17-3+deb12u1 (bookworm) | cups-filters 1.28.17-3+deb12u1 (bookworm) |
| debian | libcupsfilters | < cups-filters 1.28.17-3+deb12u1 (bookworm) | cups-filters 1.28.17-3+deb12u1 (bookworm) |
| chrome_chrome | — | — | |
| linuxfoundation | cups-filters | >= 0 < 1.28.7-1+deb11u3 | 1.28.7-1+deb11u3 |
| linuxfoundation | cups-filters | >= 0 < 1.28.17-3+deb12u1 | 1.28.17-3+deb12u1 |
| linuxfoundation | cups-filters | >= 0 < 1.28.17-5 | 1.28.17-5 |
| linuxfoundation | cups-filters | >= 0 < 1.28.17-5 | 1.28.17-5 |
| linuxfoundation | cups-filters | >= 0 < 1.27.4-1ubuntu0.4 | 1.27.4-1ubuntu0.4 |
| linuxfoundation | cups-filters | >= 0 < 1.27.4-1ubuntu0.3 | 1.27.4-1ubuntu0.3 |
| linuxfoundation | cups-filters | >= 0 < 1.28.15-0ubuntu1.4 | 1.28.15-0ubuntu1.4 |
| linuxfoundation | cups-filters | >= 0 < 1.28.15-0ubuntu1.3 | 1.28.15-0ubuntu1.3 |
| openprinting | cups | < 2.4.13 | 2.4.13 |
| openprinting | cups-browsed | <= 2.0.1 | — |
| openprinting | cups-browsed | — | — |
| openprinting | libcupsfilters | <= 2.0.0 | — |
| openprinting | libcupsfilters | — | — |
| openprinting | libcupsfilters | >= 0 < 2.0.0-3 | 2.0.0-3 |
| openprinting | libcupsfilters | >= 0 < 2.0.0-3 | 2.0.0-3 |
| paloalto | cloud_ngfw | — | — |
| paloalto | cortex_xdr | — | — |
| paloalto | cortex_xdr_agent | — | — |
| paloalto | cortex_xsiam | — | — |
| paloalto | cortex_xsoar | — | — |
| paloalto | globalprotect_app | — | — |
| paloalto | pan-os | — | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name == "foomatic-rip" and process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not process.command_line like ("*/tmp/foomatic-*", "*-sDEVICE=ps2write*")sigma↗
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and user.name == "lp" and process.parent.name in ("cupsd", "foomatic-rip", "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not process.command_line like ("*/tmp/foomatic-*", "*-sDEVICE=ps2write*")- →Monitor for foomatic-rip spawning any shell process (bash, dash, sh, tcsh, csh, zsh, ksh, fish) on Linux — this is highly uncommon in legitimate print operations and is a strong indicator of CVE-2024-47076/47177 exploitation. ↗
- →Alert on any process execution by the `lp` user that spawns a shell; the lp user is the default printing group and will be the execution context for arbitrary commands injected via FoomaticRIPCommandLine. ↗
- →Detect file writes to /tmp/ by the `lp` user, as PoC exploits commonly write payloads there as a first-stage indicator. ↗
- →Monitor for outbound network connections initiated by child processes of foomatic-rip, as legitimate print operations do not establish outbound connections. ↗
- →Watch for unsolicited inbound UDP traffic on port 631 from external/untrusted sources — this is the initial attack vector used to trigger cups-browsed into issuing a Get-Printer-Attributes IPP request to an attacker-controlled URL. ↗
- →The FoomaticRIPCommandLine PPD parameter is the injection point for arbitrary command execution; inspect PPD files written to disk for the presence of this directive with unexpected or encoded command strings. ↗
- ·CVE-2024-47076 specifically affects libcupsfilters ≤ 2.1b1; the function cfGetPrinterAttributes5 is the vulnerable code path that fails to validate/sanitize IPP attributes returned from an IPP server, allowing attacker-controlled data to flow into the rest of the CUPS system. ↗
- ·Exploitation of CVE-2024-47076 alone is insufficient for RCE; it must be chained with CVE-2024-47176 (cups-browsed UDP trust), CVE-2024-47175 (libppd PPD injection), and CVE-2024-47177 (foomatic-rip command execution) to achieve full remote code execution. ↗
- ·Exploitation requires user interaction (initiating a print job to the malicious printer) after the fake printer is installed; fully automated RCE without any user action is not part of the currently disclosed exploitation method. ↗
- ·The lp user does not have a login shell by default, which prevents interactive reverse shells via the standard technique, though creative tactics can still achieve this. ↗
- ·In BrowseRemoteProtocols, changing the value from the default 'dnssd cups' to 'dnssd' (removing 'cups') in /etc/cups/cups-browsed.conf mitigates the cups-browsed attack vector without fully disabling the service. ↗
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
osv8.6HIGH
vendor_debian8.6HIGH
vendor_redhat8.6HIGH
vendor_ubuntu8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Chrome
Stable Channel Update for ChromeOS / ChromeOS Flex: CVE-2024-47076
vendor_chrome·2024-10-29·CVSS 8.6
CVE-2024-47076 [HIGH] Stable Channel Update for ChromeOS / ChromeOS Flex: CVE-2024-47076
Stable Channel Update for ChromeOS / ChromeOS Flex
CVE-2024-47076
Ubuntu
cups-filters vulnerabilities
vendor_ubuntu·2024-10-09·CVSS 8.6
CVE-2024-47176 [HIGH] cups-filters vulnerabilities
Title: cups-filters vulnerabilities
Summary: cups-filters could be made to run programs if it received specially crafted
network traffic.
USN-7043-1 fixed vulnerabilities in cups-filters. This update improves the
fix for CVE-2024-47176 by removing support for the legacy CUPS printer
discovery protocol entirely.
Original advisory details:
Simone Margaritelli discovered that the cups-filters cups-browsed
component could be used to create arbitrary printers from outside the
local network. In combination with issues in other printing components, a
remote attacker could possibly use this issue to connect to a system,
created manipulated PPD files, and execute arbitrary code when a printer
is used. This update disables support for the legacy CUPS printer
discovery protocol. (CVE-2024-47176)
Palo Alto
Informational: No Impact of CUPS Vulnerabilities on Palo Alto Networks Products
vendor_paloalto·2024-09-26·CVSS 8.6
CVE-2024-47076 [HIGH] CWE-78 Informational: No Impact of CUPS Vulnerabilities on Palo Alto Networks Products
Informational: No Impact of CUPS Vulnerabilities on Palo Alto Networks Products
The Palo Alto Networks Product Security Assurance team has evaluated CVE-2024-47076, CVE-2024-47177, CVE-2024-47175, and CVE-2024-47176 in the Common UNIX Printing System (CUPS) as they relate to our products.
Based on current information, Palo Alto Networks products and cloud services do not contain affected CUPS-related software packages and are not impacted by these issues.
Affected products: Cloud NGFW, Cortex XDR, Cortex XDR Agent, Cortex XSIAM, Cortex XSOAR, GlobalProtect App, PAN-OS, Prisma Access, Prisma Browser, Prisma Cloud, Prisma Cloud Compute, Prisma SD-WAN
Solution: No software updates are required at this time.
Workaround: Customers who decide to block CUPS traffic can create a Security poli
Ubuntu
libcupsfilters vulnerability
vendor_ubuntu·2024-09-26
CVE-2024-47076 libcupsfilters vulnerability
Title: libcupsfilters vulnerability
Summary: libcupsfilters could be made to run programs if it received specially
crafted network traffic.
Simone Margaritelli discovered that libcupsfilters incorrectly sanitized
IPP data when creating PPD files. A remote attacker could possibly use this
issue to manipulate PPD files and execute arbitrary code when a printer is
used.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
cups-browsed: cups-browsed binds on UDP INADDR_ANY:631 trusting any packet from any source
vendor_redhat·2024-09-26·CVSS 8.6
CVE-2024-47176 [HIGH] CWE-940 cups-browsed: cups-browsed binds on UDP INADDR_ANY:631 trusting any packet from any source
cups-browsed: cups-browsed binds on UDP INADDR_ANY:631 trusting any packet from any source
CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to.
A security issue has been identified in OpenPrinting CUPS.
The function ppdCreatePPDFromIPP2
Ubuntu
cups-filters vulnerabilities
vendor_ubuntu·2024-09-26·CVSS 8.6
CVE-2024-47176 [HIGH] cups-filters vulnerabilities
Title: cups-filters vulnerabilities
Summary: cups-filters could be made to run programs if it received specially crafted
network traffic.
Simone Margaritelli discovered that the cups-filters cups-browsed component
could be used to create arbitrary printers from outside the local network.
In combination with issues in other printing components, a remote attacker
could possibly use this issue to connect to a system, created manipulated
PPD files, and execute arbitrary code when a printer is used. This update
disables support for the legacy CUPS printer discovery protocol.
(CVE-2024-47176)
Simone Margaritelli discovered that cups-filters incorrectly sanitized IPP
data when creating PPD files. A remote attacker could possibly use this
issue to manipulate PPD files and execute arbitrary code
Red Hat
cups-filters: libcupsfilters: `cfGetPrinterAttributes` API does not perform sanitization on returned IPP attributes
vendor_redhat·2024-09-26·CVSS 8.6
CVE-2024-47076 [HIGH] CWE-20 cups-filters: libcupsfilters: `cfGetPrinterAttributes` API does not perform sanitization on returned IPP attributes
cups-filters: libcupsfilters: `cfGetPrinterAttributes` API does not perform sanitization on returned IPP attributes
CUPS is a standards-based, open-source printing system, and `libcupsfilters` contains the code of the filters of the former `cups-filters` package as library functions to be used for the data format conversion tasks needed in Printer Applications. The `cfGetPrinterAttributes5` function in `libcupsfilters` does not sanitize IPP attributes returned from an IPP server. When these IPP attributes are used, for instance, to generate a PPD file, this can lead to attacker controlled data to be provided to the rest of the CUPS system.
A flaw was found in OpenPrinting CUPS. In certain conditions, a remote attacker can add a malicious printer or directly hijack an existing printer by
Debian
CVE-2024-47176: cups-filters - CUPS is a standards-based, open-source printing system, and `cups-browsed` conta...
vendor_debian·2024·CVSS 8.6
CVE-2024-47176 [HIGH] CVE-2024-47176: cups-filters - CUPS is a standards-based, open-source printing system, and `cups-browsed` conta...
CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to.
Scope: local
bookworm: resolved (fixed in 1.28.17-3+deb12u1)
bullseye: resolved (fixed in 1.28.7-1+deb11u3)
forky: resolved (fixed in 1.28.17-5)
sid: resolved (fixed in 1.28.17-5)
trixie
Debian
CVE-2024-47076: cups-filters - CUPS is a standards-based, open-source printing system, and `libcupsfilters` con...
vendor_debian·2024·CVSS 8.6
CVE-2024-47076 [HIGH] CVE-2024-47076: cups-filters - CUPS is a standards-based, open-source printing system, and `libcupsfilters` con...
CUPS is a standards-based, open-source printing system, and `libcupsfilters` contains the code of the filters of the former `cups-filters` package as library functions to be used for the data format conversion tasks needed in Printer Applications. The `cfGetPrinterAttributes5` function in `libcupsfilters` does not sanitize IPP attributes returned from an IPP server. When these IPP attributes are used, for instance, to generate a PPD file, this can lead to attacker controlled data to be provided to the rest of the CUPS system.
Scope: local
bookworm: resolved (fixed in 1.28.17-3+deb12u1)
bullseye: resolved (fixed in 1.28.7-1+deb11u3)
forky: resolved (fixed in 1.28.17-5)
sid: resolved (fixed in 1.28.17-5)
trixie: resolved (fixed in 1.28.17-5)
OSV
cups-filters vulnerabilities
osv·2024-10-09·CVSS 8.6
CVE-2024-47176 [HIGH] cups-filters vulnerabilities
cups-filters vulnerabilities
USN-7043-1 fixed vulnerabilities in cups-filters. This update improves the
fix for CVE-2024-47176 by removing support for the legacy CUPS printer
discovery protocol entirely.
Original advisory details:
Simone Margaritelli discovered that the cups-filters cups-browsed
component could be used to create arbitrary printers from outside the
local network. In combination with issues in other printing components, a
remote attacker could possibly use this issue to connect to a system,
created manipulated PPD files, and execute arbitrary code when a printer
is used. This update disables support for the legacy CUPS printer
discovery protocol. (CVE-2024-47176)
Simone Margaritelli discovered that cups-filters incorrectly sanitized IPP
data when creating PPD files. A re
OSV
CVE-2024-47176: CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto
osv·2024-09-26·CVSS 8.6
CVE-2024-47176 [HIGH] CVE-2024-47176: CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto
CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to.
OSV
cups-filters vulnerabilities
osv·2024-09-26·CVSS 8.6
CVE-2024-47176 [HIGH] cups-filters vulnerabilities
cups-filters vulnerabilities
Simone Margaritelli discovered that the cups-filters cups-browsed component
could be used to create arbitrary printers from outside the local network.
In combination with issues in other printing components, a remote attacker
could possibly use this issue to connect to a system, created manipulated
PPD files, and execute arbitrary code when a printer is used. This update
disables support for the legacy CUPS printer discovery protocol.
(CVE-2024-47176)
Simone Margaritelli discovered that cups-filters incorrectly sanitized IPP
data when creating PPD files. A remote attacker could possibly use this
issue to manipulate PPD files and execute arbitrary code when a printer is
used. (CVE-2024-47076)
OSV
CVE-2024-47076: CUPS is a standards-based, open-source printing system, and `libcupsfilters` contains the code of the filters of the former `cups-filters` package as
osv·2024-09-26·CVSS 8.6
CVE-2024-47076 [HIGH] CVE-2024-47076: CUPS is a standards-based, open-source printing system, and `libcupsfilters` contains the code of the filters of the former `cups-filters` package as
CUPS is a standards-based, open-source printing system, and `libcupsfilters` contains the code of the filters of the former `cups-filters` package as library functions to be used for the data format conversion tasks needed in Printer Applications. The `cfGetPrinterAttributes5` function in `libcupsfilters` does not sanitize IPP attributes returned from an IPP server. When these IPP attributes are used, for instance, to generate a PPD file, this can lead to attacker controlled data to be provided to the rest of the CUPS system.
Elastic
Network Connection by Cups or Foomatic-rip Child
elastic_rules·CVSS 8.6
CVE-2024-47176 [HIGH] Network Connection by Cups or Foomatic-rip Child
Network Connection by Cups or Foomatic-rip Child
This detection rule addresses multiple vulnerabilities in the CUPS printing system, including CVE-2024-47176,
CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. Specifically, this rule detects network connections initiated by a
child processes of foomatic-rip. These flaws impact components like cups-browsed, libcupsfilters, libppd, and
foomatic-rip, allowing remote unauthenticated attackers to manipulate IPP URLs or inject malicious data through crafted
UDP packets or network spoofing. This can result in arbitrary command execution when a print job is initiated.
Query:
sequence by host.id with maxspan=10s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.parent.name == "foomatic-rip"
Elastic
Suspicious Execution from Foomatic-rip or Cupsd Parent
elastic_rules·CVSS 8.6
CVE-2024-47176 [HIGH] Suspicious Execution from Foomatic-rip or Cupsd Parent
Suspicious Execution from Foomatic-rip or Cupsd Parent
This detection rule addresses multiple vulnerabilities in the CUPS printing system, including CVE-2024-47176,
CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. Specifically, this rule detects suspicious process command lines
executed by child processes of foomatic-rip and cupsd. These flaws impact components like cups-browsed, libcupsfilters,
libppd, and foomatic-rip, allowing remote unauthenticated attackers to manipulate IPP URLs or inject malicious data
through crafted UDP packets or network spoofing. This can result in arbitrary command execution when a print job is
initiated.
Query:
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
process
Elastic
Cupsd or Foomatic-rip Shell Execution
elastic_rules·CVSS 8.6
CVE-2024-47176 [HIGH] Cupsd or Foomatic-rip Shell Execution
Cupsd or Foomatic-rip Shell Execution
This detection rule addresses multiple vulnerabilities in the CUPS printing system, including CVE-2024-47176,
CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. Specifically, this rule detects shell executions from the
foomatic-rip parent process. These flaws impact components like cups-browsed, libcupsfilters, libppd, and foomatic-rip,
allowing remote unauthenticated attackers to manipulate IPP URLs or inject malicious data through crafted UDP packets or
network spoofing. This can result in arbitrary command execution when a print job is initiated.
Query:
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2") and process.parent.name == "foomatic-rip" and
process.name in
Elastic
File Creation by Cups or Foomatic-rip Child
elastic_rules·CVSS 8.6
CVE-2024-47176 [HIGH] File Creation by Cups or Foomatic-rip Child
File Creation by Cups or Foomatic-rip Child
This detection rule addresses multiple vulnerabilities in the CUPS printing system, including CVE-2024-47176,
CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. Specifically, this rule detects suspicious file creation events
executed by child processes of foomatic-rip. These flaws impact components like cups-browsed, libcupsfilters, libppd,
and foomatic-rip, allowing remote unauthenticated attackers to manipulate IPP URLs or inject malicious data through
crafted UDP packets or network spoofing. This can result in arbitrary command execution when a print job is initiated.
Query:
sequence by host.id with maxspan=10s
[process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start") and
process.parent.name ==
Elastic
Printer User (lp) Shell Execution
elastic_rules·CVSS 8.6
CVE-2024-47176 [HIGH] Printer User (lp) Shell Execution
Printer User (lp) Shell Execution
This detection rule addresses multiple vulnerabilities in the CUPS printing system, including CVE-2024-47176,
CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. Specifically, this rule detects shell executions from the foomatic-rip
parent process through the default printer user (lp). These flaws impact components like cups-browsed, libcupsfilters,
libppd, and foomatic-rip, allowing remote unauthenticated attackers to manipulate IPP URLs or inject malicious data
through crafted UDP packets or network spoofing. This can result in arbitrary command execution when a print job is
initiated.
Query:
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "ProcessRollup2", "ProcessRollup2") and user.name == "
Wiz
Crying Out Cloud - October 2024 Newsletter | Wiz
blogs_wiz·2024-10-01·CVSS 9.0
CVE-2024-0132 [CRITICAL] Crying Out Cloud - October 2024 Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
Here are our top picks!
## 🔍 Highlights
Critical Vulnerability in NVIDIA Container Toolkit
Wiz Research uncovered a critical vulnerability, CVE-2024-0132, in the widely used NVIDIA Container Toolkit. The vulnerability allows attackers with control over a container image to escape the container and gain full access to the underlying host. It is strongly recommended to update the affected package to the latest version 1.16.2, while focusing on container hosts that might run untrusted container images.
According to Wiz data, 33% of cloud environments are impacted by CVE-2024-0132.
Learn more in our blog .
## 🐞 High Profile Vulnerab
Wiz
OpenPrinting CUPS Vulnerabilities: Analysis of related CVEs | Wiz Blog
blogs_wiz·2024-09-29·CVSS 8.6
CVE-2024-47176 [HIGH] OpenPrinting CUPS Vulnerabilities: Analysis of related CVEs | Wiz Blog
The security researcher Simone Margaritelli ( evilsocket ), disclosed details of several vulnerabilities impacting CUPS and IPP packages: CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. These vulnerabilities are unlikely to be exploited in most cloud environments due to their requirements for exposing UDP port 631 and needing the victim to attempt a print request as part of the currently disclosed exploitation method.
The vulnerabilities received CVSS base scores ranging from 8.0 to 9.0. It is recommended to mitigate these vulnerabilities and apply patches.
## What are these vulnerabilities?
A remote, unauthenticated attacker can replace existing printers with a malicious one or add a new printer under their control, leading to arbitrary command execution when a prin
Wiz
OpenPrinting CUPS Vulnerabilities: Analysis of related CVEs | Wiz Blog
blogs_wiz·2024-09-29·CVSS 8.6
CVE-2024-47076 [HIGH] OpenPrinting CUPS Vulnerabilities: Analysis of related CVEs | Wiz Blog
The security researcher Simone Margaritelli (evilsocket), disclosed details of several vulnerabilities impacting CUPS and IPP packages: CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. These vulnerabilities are unlikely to be exploited in most cloud environments due to their requirements for exposing UDP port 631 and needing the victim to attempt a print request as part of the currently disclosed exploitation method.
The vulnerabilities received CVSS base scores ranging from 8.0 to 9.0. It is recommended to mitigate these vulnerabilities and apply patches.
# What are these vulnerabilities?
A remote, unauthenticated attacker can replace existing printers with a malicious one or add a new printer under their control, leading to arbitrary command execution when a print j
Elastic
Cups Overflow: When your printer spills more than Ink — Elastic Security Labs
blogs_elastic·2024-09-28·CVSS 6.8
[MEDIUM] Cups Overflow: When your printer spills more than Ink — Elastic Security Labs
28 September 2024•Mika Ayenson, PhD•Terrance DeJesus•Eric Forte•Ruben Groenewoud
# Cups Overflow: When your printer spills more than Ink
Elastic Security Labs discusses detection and mitigation strategies for vulnerabilities in the CUPS printing system, which allow unauthenticated attackers to exploit the system via IPP and mDNS, resulting in remote code execution (RCE) on UNIX-based systems such as Linux, macOS, BSDs, ChromeOS, and Solaris.
9 min readDetection Engineering, Product Updates
## Update October 2, 2024
The following packages introduced out-of-the-box (OOTB) rules to detect the exploitation of these vulnerabilities. Please check your "Prebuilt Security Detection Rules" integration versions or visit the Downloadable rule updates site.
- Stack Version 8.15 - Package Version
Elastic
Cups Overflow: When your printer spills more than Ink — Elastic Security Labs
blogs_elastic·2024-09-28
Cups Overflow: When your printer spills more than Ink — Elastic Security Labs
## Cups Overflow: When your printer spills more than Ink
Elastic Security Labs discusses detection and mitigation strategies for vulnerabilities in the CUPS printing system, which allow unauthenticated attackers to exploit the system via IPP and mDNS, resulting in remote code execution (RCE) on UNIX-based systems such as Linux, macOS, BSDs, ChromeOS, and Solaris.
## Update October 2, 2024
The following packages introduced out-of-the-box (OOTB) rules to detect the exploitation of these vulnerabilities. Please check your "Prebuilt Security Detection Rules" integration versions or visit the Downloadable rule updates site.
Stack Version 8.15 - Package Version 8.15.6+
Stack Version 8.14 - Package Version 8.14.12+
Stack Version 8.13 - Package Version 8.13.18+
Stack Version 8.12 - Package
Qualys
Unauthenticated RCE in CUPS: Critical Printing System Flaws
blogs_qualys·2024-09-26·CVSS 8.6
[HIGH] Unauthenticated RCE in CUPS: Critical Printing System Flaws
## Table of Contents
What Is CUPS?
CUPS Printing System Vulnerabilities
How to Fix CUPS Vulnerabilities:
Why These CUPS Printing Flaws Are a Serious Threat
Recommended Security Measures for Enterprises to mitigate RCE vulnerability
How Qualys Helps Detect and Fix CUPS Vulnerabilities
Conclusion
Next Steps to Secure Your CUPS Printing System
FAQ:
A critical set of unauthenticated Remote Code Execution (RCE) vulnerabilities in CUPS, affecting all GNU/Linux systems and potentially others, was disclosed today. These vulnerabilities allow a remote attacker to execute arbitrary code on a target system without valid credentials or prior access. Major organizations like Canonical and Red Hat have confirmed this flaw, assigning it a high severity with a CVSS score of 9.9 out of 10.
Based
Tenable
CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177: Frequently Asked Questions About Common UNIX Printing System (CUPS) Vulnerabilities
blogs_tenable·2024-09-26·CVSS 8.6
[HIGH] CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177: Frequently Asked Questions About Common UNIX Printing System (CUPS) Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
CUPS RCE Vulnerabilities: Patch Critical Flaws | Qualys
blogs_qualys·2024-09-26·CVSS 8.6
[HIGH] CUPS RCE Vulnerabilities: Patch Critical Flaws | Qualys
#### Table of Contents
- What Is CUPS?
- CUPS Printing System Vulnerabilities
- How to Fix CUPS Vulnerabilities:
- Why These CUPS Printing Flaws Are a Serious Threat
- Recommended Security Measures for Enterprises to mitigate RCE vulnerability
- How Qualys Helps Detect and Fix CUPS Vulnerabilities
- Conclusion
- Next Steps to Secure Your CUPS Printing System
- FAQ:
A critical set of unauthenticated Remote Code Execution (RCE) vulnerabilities in CUPS, affecting all GNU/Linux systems and potentially others, was disclosed today. These vulnerabilities allow a remote attacker to execute arbitrary code on a target system without valid credentials or prior access. Major organizations like Canonical and Red Hat have confirmed this flaw, assigning it a high severity with a CVSS score of 9.9 out o
Bugzilla
CVE-2024-47076 cups-filters: libcupsfilters: `cfGetPrinterAttributes` API does not perform sanitization on returned IPP attributes
bugzilla·2024-09-23·CVSS 8.6
CVE-2024-47076 [HIGH] CVE-2024-47076 cups-filters: libcupsfilters: `cfGetPrinterAttributes` API does not perform sanitization on returned IPP attributes
CVE-2024-47076 cups-filters: libcupsfilters: `cfGetPrinterAttributes` API does not perform sanitization on returned IPP attributes
If an attacker is able to exploit an exposed IPP server to respond with a valid response to be added to the system, and if discovered via mDNS, an existing printer can be directly hijacked (its IPP url replaced with a malicious one) making it indistinguishable from the original one. The `cfGetPrinterAttributes` API does not perform any sanitization on any of the IPP attributes returned by the server. Attributes that are then saved, as they are, in a temporary PPD file via `ppdCreatePPDFromIPP2`. `ppdCreatePPDFromIPP2` doesn't perform any sanitization itself and in fact it just writes to the file any attributes contents. This allows an attacker to return a mali
CTF
ippsec-video-index
ctf_writeups·CVSS 8.6
[HIGH] ippsec-video-index
# IppSec HTB Video Index - Complete Reference
> The most comprehensive index of IppSec's HackTheBox video walkthroughs.
> Data sourced from [ippsec.rocks](https://ippsec.rocks) dataset, GitHub, and community resources.
> Last updated: 2026-04-10
## Stats
| Category | Count |
|----------|-------|
| HTB Machine Walkthroughs | 432 |
| UHC (Ultimate Hacking Championship) | 12 |
| HTB Sherlocks (DFIR) | 7 |
| VulnHub Machines | 4 |
| Tutorials / Methodology / Special | 61 |
| HTB Academy Modules | 17 |
| **Total Unique Content** | **533** |
| Total Searchable Entries (timestamps) | 9,245 |
## Key Resources
| Resource | URL |
|----------|-----|
| YouTube Channel | [youtube.com/ippsec](https://youtube.com/ippsec) |
| Searchable Video Index | [ippsec.rocks](https://ippsec.rocks) |
| GitHub |
https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6https://www.cups.orghttps://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-Ihttps://github.com/OpenPrinting/libcupsfilters/commit/95576ec3d20c109332d14672a807353cdc551018https://lists.debian.org/debian-lts-announce/2024/09/msg00048.htmlhttps://security.netapp.com/advisory/ntap-20241011-0001/
2024-09-26
Published