User profile for user: khbkhb
khbkhb Author
User level: Level 1
12 points

CVE-2024-47177 CUPS browsed issues

There’s been a lot of noise about a family of CUPS security issues, one listing:


  • CVE-2024-47176 - cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker-controlled URL
  • CVE-2024-47076 - libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker-controlled data to the rest of the CUPS system
  • CVE-2024-47175 - libppd <= 2.1b1 ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker-controlled data in the resulting PPD
  • CVE-2024-47177 - cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter


Obviously for a system not directly accessible outside one’s local network the risks are somewhat limited (as noted by Red Hat) but nonetheless, seems like there should be some formal Apple comments and advise. Am I just not spotting it?

MacBook Pro 16″, macOS 15.0

Posted on Sep 30, 2024 7:35 AM

Reply
Question marked as Top-ranking reply
User profile for user: MrHoffman
MrHoffman
User level: Level 10
148,629 points

Posted on Sep 30, 2024 3:26 PM

The exploit requires having cups-browsed active, creating a malicious IPP printer, and then convincing somebody to print to it.


Apple also doesn’t indicate that the associated UDP 631 port is even used:


The related TCP 631 has to be manually enabled.


Run a port scan with nmap, and see if UDP 631 is accessible, or use lsof to check, or whatever.


On macOS 13, I don’t see anything (relevant) named browsed installed, nor anything with open ports with anything cups showing in lsof. So seemingly there is nothing to exploit.


From elsewhere:


Hype aside, I’d be more concerned about the prevalence of down-revision printers. There are exploits available against down-revision printers if y’all want to be concerned about these sorts of printer messes. Printers can make a marvelous network probe once exploited, too. DEF CON has had presentations on this topic over the years, and finding down-revision firmware existing in many local networks would be unsurprising.


View in context
4 replies
Question marked as Top-ranking reply
User profile for user: MrHoffman
MrHoffman
User level: Level 10
148,629 points

Sep 30, 2024 3:26 PM in response to khbkhb

The exploit requires having cups-browsed active, creating a malicious IPP printer, and then convincing somebody to print to it.


Apple also doesn’t indicate that the associated UDP 631 port is even used:


The related TCP 631 has to be manually enabled.


Run a port scan with nmap, and see if UDP 631 is accessible, or use lsof to check, or whatever.


On macOS 13, I don’t see anything (relevant) named browsed installed, nor anything with open ports with anything cups showing in lsof. So seemingly there is nothing to exploit.


From elsewhere:


Hype aside, I’d be more concerned about the prevalence of down-revision printers. There are exploits available against down-revision printers if y’all want to be concerned about these sorts of printer messes. Printers can make a marvelous network probe once exploited, too. DEF CON has had presentations on this topic over the years, and finding down-revision firmware existing in many local networks would be unsurprising.


Reply
User profile for user: etresoft
etresoft
User level: Level 9
57,026 points

Sep 30, 2024 8:48 AM in response to khbkhb

khbkhb wrote:

Obviously for a system not directly accessible outside one’s local network the risks are somewhat limited

OMG! Someone who understands basic networking!

seems like there should be some formal Apple comments and advise. Am I just not spotting it?

If Apple determines that the system is vulnerable, then a fix will be included in an update. The only formal comment will be a section in "About the security content of macOS whatever".


It looks like Apple has already configured cups to only listen on the local interface, so probably nothing to do but watch all the IT admins freak out about it for few weeks.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

CVE-2024-47177 CUPS browsed issues

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up