Cups is affected by a security vulnerability [26 September 2024]

joekamprad · September 26, 2024, 9:36pm

As of writing there is no Linux fix available for this high profile security issue. In the meantime it’s recommended to disable and remove the “cups-browsed” service, updating CUPS, or at least blocking all traffic to UDP port 631.

Source:

systemctl status cups-browsed to check if you have it enabled
sudo systemctl disable --now cups-browsed to stop/disable.

But with this you will not be able to use network printers added automatically, you may need to add network printer manually after this.

From what I see, firewalld has port 631/udp closed by default.

Check it:
sudo firewall-cmd --list-all

closing it would be something like:
sudo firewall-cmd --remove-port=631/udp --permanent
sudo firewall-cmd --reload

And keep in mind only just read about this, personally not the pro on these things, feel free to add knowledge.

And in case the most simple way is to uninstall:
sudo pacman -R cups-browsed
To be on the securest side you could also go uninstall cups all together:
sudo pacman -Rc cups cups-browsed
(Check what it shows before proceed as of -c cascading option)

// edit//

With:

upgpkg: 2.0.1-2; don’t browse old cups protocol by default - CVE-2024-47176

cups-browsed 2.0.1-2
The issue should be resolved (if it was a real issue in the first place)

https://access.redhat.com/security/cve/cve-2024-47176

This is exploitable from outside the LAN if the computer is exposed on the public internet.

(only as a sidenote)

drunkenvicar · September 27, 2024, 12:53am

It’s systemd so I have no idea how to read its mixed messages: it was “disabled”, it’s default was “enabled”, and it was “active.”

I just went ahead and sudo systemctl disable --now cups-browsed did this anyway just to put it out mixed message misery.

Thank you for the PSA.

dalto · September 27, 2024, 1:31am

Why not uninstall it altogether?

It is in it’s own package, cups-browsed

_Six · September 27, 2024, 3:36am

Thanks, I checked and no service could be found, and I found no packages, Firewall fine also. All good.

andrewb · September 27, 2024, 3:37am

If you need it sometimes, you’ll never know the new version is available for an update.

There are also some support libraries that will be updated when this all gets fixed.

UncleSpellbinder · September 27, 2024, 3:39am

Does this issue affect people who’ve never set up cups? I think the last time I used a printer at home was about 2005.

d-air1 · September 27, 2024, 5:10am

I never had cups-browesed installed in the first place.

d-air1 · September 27, 2024, 5:10am

If it aint running. Then you aren’t affected.

xircon · September 27, 2024, 6:25am

when a print job is started (from that computer).

So someone would have to have access to your computer… Nasty, but would not affect most of us at home.

Dirklangohr · September 27, 2024, 6:31am

Also not an expert, but shouldn’t the command be sudo firewall-cmd --remove-port=631/udp --permanent so changes persist? Changes not made permanent will not persist across reloads, so if I am not mistaken, after running sudo firewall-cmd --reload the firewall will be open again in your version

winnyace · September 27, 2024, 8:06am

If you have cups-remoted not installed, you are fine.

Something else that I think is worth mentioning is that by default EndeavourOS doesn’t install this service and the solution to this whole thing is benign, in my opinion. We shall see how it progresses, but the amount of effort required by an attacker seems to be a large enough pain in the bottom to pull off.

I think one possible solution for this is:

Don’t automatically scan for new printers every single network adapter;
Allow the user to scan for printers on the network when they request to do so;
Notify the user in some way when a new printer is available.

Phodox · September 27, 2024, 10:56am

Is there a simple good alternative to CUPS?
I am looking for a simple UI app that can find and setup my printer without using website.

winnyace · September 27, 2024, 11:08am

Sadly, it seems no. CUPS is the most modern and up-to-date printer system on Linux, BSD and even MacOS. I honestly wouldn’t be so scared about this if you don’t have cups-browsed installed, which on EndeavourOS seems to be uninstalled by default.

SemLraug · September 27, 2024, 12:02pm

Thanks all, for the heads up and making clear what i can do the check and mitigate.
Much appreciated!

thefrog · September 27, 2024, 1:02pm

for those like me who need not read first thing in the morning

ricklinux · September 27, 2024, 2:23pm

I noticed an update this morning for cups-browsed. My system has it installed but not running.

dave_at_hal9000 · September 27, 2024, 2:39pm

Just checked and I saw it today - I assume it’s a coincidence, and not a fix already?

rich52 · September 27, 2024, 2:40pm

Exactly my question. . . . I noticed the files updating this morning also. . . so what is now the status?

Rich;)

dave_at_hal9000 · September 27, 2024, 2:46pm

So I went to the arch repos and from there found the git for cups-browserd - there was a commit 3 hours ago referring to the vulnerability: https://gitlab.archlinux.org/archlinux/packaging/packages/cups-browsed/-/commit/4e5ddd505a67a91502381304db11862522178053

~~Looking at it now, not sure what it’s doing exactly~~
It adds a CVE-2024-47176.patch that makes the service not listen to cups protocol, apparently. It has the following comment:

Works around CVE-2024-47176, the fix will be complete removal of CUPS
Browsing functionality