As of writing there is no Linux fix available for this high profile security issue. In the meantime it’s recommended to disable and remove the “cups-browsed” service, updating CUPS, or at least blocking all traffic to UDP port 631.
Source:
systemctl status cups-browsed to check if you have it enabled sudo systemctl disable --now cups-browsed to stop/disable.
But with this you will not be able to use network printers added automatically, you may need to add network printer manually after this.
From what I see, firewalld has port 631/udp closed by default.
Check it: sudo firewall-cmd --list-all
closing it would be something like: sudo firewall-cmd --remove-port=631/udp --permanent sudo firewall-cmd --reload
And keep in mind only just read about this, personally not the pro on these things, feel free to add knowledge.
And in case the most simple way is to uninstall: sudo pacman -R cups-browsed
To be on the securest side you could also go uninstall cups all together: sudo pacman -Rc cups cups-browsed
(Check what it shows before proceed as of -c cascading option)
// edit//
The problem should already been solved by updating to cups-browsed-2.0.1-2.
Do your own research in addition!
With:
upgpkg: 2.0.1-2; don’t browse old cups protocol by default - CVE-2024-47176
cups-browsed 2.0.1-2
The issue should be resolved (if it was a real issue in the first place)
Also not an expert, but shouldn’t the command be sudo firewall-cmd --remove-port=631/udp --permanent so changes persist? Changes not made permanent will not persist across reloads, so if I am not mistaken, after running sudo firewall-cmd --reload the firewall will be open again in your version
If you have cups-remoted not installed, you are fine.
Something else that I think is worth mentioning is that by default EndeavourOS doesn’t install this service and the solution to this whole thing is benign, in my opinion. We shall see how it progresses, but the amount of effort required by an attacker seems to be a large enough pain in the bottom to pull off.
I think one possible solution for this is:
Don’t automatically scan for new printers every single network adapter;
Allow the user to scan for printers on the network when they request to do so;
Notify the user in some way when a new printer is available.
Sadly, it seems no. CUPS is the most modern and up-to-date printer system on Linux, BSD and even MacOS. I honestly wouldn’t be so scared about this if you don’t have cups-browsed installed, which on EndeavourOS seems to be uninstalled by default.
Looking at it now, not sure what it’s doing exactly
It adds a CVE-2024-47176.patch that makes the service not listen to cups protocol, apparently. It has the following comment:
Works around CVE-2024-47176, the fix will be complete removal of CUPS
Browsing functionality