On September 27, 2024, security researcher Simone "evilsocket" Margaritelli reported on his personal blog that the Unix-based printing framework CUPS has multiple high-risk security vulnerabilities^[1]. Unauthenticated remote attackers can impersonate printers, using malicious IPP URLs to replace the URLs of existing printers or add new malicious printers. In this scenario, when a user initiates a print job from the affected computer, attackers can silently execute arbitrary commands on that computer through the fake printer URL, thereby achieving the attack.

These vulnerabilities have been confirmed by the upstream software maintainers and security personnel, and temporary measures have been taken to disable the relevant features to mitigate the risks. No functional fixes are currently provided.

Vulnerability IDs: CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177. ^[2][3][4]

Am I affected?

1、If you have not installed cups-browsed (this package is not pre-installed in deepin 23), you are not affected by this vulnerability.

2、If you do not perform any printing operations, you will not trigger this vulnerability.

3、If you have installed cups-browsed and perform printing operations, you may be affected by this vulnerability.

Temporary protection measures

1、If you do not need the cups-browsed service, stopping or uninstalling the cups-browsed service can mitigate attacks over the network:

a. sudo systemctl disable --now cups-browsed

b. sudo apt remove cups-browsed

2、If you need the cups-browsed service, you can:

a. Enable the firewall to block UDP 631 port traffic to prevent attacks.

b. Edit /etc/cups/cups-browsed.conf, search for the BrowseRemoteProtocols field, remove cups and execute sudo systemctl restart cups-browsed to restart cups-browsed.

deepin 23 Patch

deepin 23 has patched cups-browsed and cups-filters on September 27, 2024. We strongly recommend that all users update immediately to fix this security vulnerability. The patched version is: 1.28.17-3.1~deepin3.

Event Timeline

September 27, 2024, 04:00 (UTC+8) Vulnerability disclosure.
September 27, 2024, 09:00 (UTC+8) deepin detected the vulnerability information.
September 27, 2024, 11:44 (UTC+8) Vulnerability patched and integrated.
September 27, 2024, 14:18 (UTC+8) Integration testing passed.
September 27, 2024, 15:42 (UTC+8) Repository pushed the vulnerability fix.

(All times are Beijing Time)

References:

[1] Blog address: https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

[2] Alibaba Cloud report: https://avd.aliyun.com/detail?id=AVD-2024-47176

[3] JFrog report: https://jfrog.com/blog/cups-attack-zero-day-vulnerability-all-you-need-to-know/

[4] oss-security report: https://www.openwall.com/lists/oss-security/2024/09/26/5