Cups is affected by a security vulnerability [26 September 2024]

Important notifications
1

As of writing there is no Linux fix available for this high profile security issue. In the meantime it’s recommended to disable and remove the “cups-browsed” service, updating CUPS, or at least blocking all traffic to UDP port 631.

Source:
https://www.phoronix.com/news/Linux-CVSS-9.9-Rating

https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

systemctl status cups-browsed to check if you have it enabled
sudo systemctl disable --now cups-browsed to stop/disable.

But with this you will not be able to use network printers added automatically, you may need to add network printer manually after this.

From what I see, firewalld has port 631/udp closed by default.

Check it:
sudo firewall-cmd --list-all

closing it would be something like:
sudo firewall-cmd --remove-port=631/udp --permanent
sudo firewall-cmd --reload

And keep in mind only just read about this, personally not the pro on these things, feel free to add knowledge.

And in case the most simple way is to uninstall:
sudo pacman -R cups-browsed
To be on the securest side you could also go uninstall cups all together:
sudo pacman -Rc cups cups-browsed
(Check what it shows before proceed as of -c cascading option)

// edit//

The problem should already been solved by updating to cups-browsed-2.0.1-2.
Do your own research in addition!

With:

upgpkg: 2.0.1-2; don’t browse old cups protocol by default - CVE-2024-47176

https://gitlab.archlinux.org/archlinux/packaging/packages/cups/-/commit/494250067a97981fd1f56c5d6892a7584b4b0c9e
cups-browsed 2.0.1-2
The issue should be resolved (if it was a real issue in the first place)

https://access.redhat.com/security/cve/cve-2024-47176

This is exploitable from outside the LAN if the computer is exposed on the public internet.

(only as a sidenote)

Some helpful info from this post Cups is affected by a security vulnerability [26 September 2024] - #36 by andrewb

https://seclists.org/oss-sec/2024/q3/281

17 Likes
3

It’s systemd so I have no idea how to read its mixed messages: it was “disabled”, it’s default was “enabled”, and it was “active.”

I just went ahead and sudo systemctl disable --now cups-browsed did this anyway just to put it out mixed message misery.

Thank you for the PSA.

4

Why not uninstall it altogether?

It is in it’s own package, cups-browsed

3 Likes
5

Thanks, I checked and no service could be found, and I found no packages, Firewall fine also. All good. :slight_smile:

6

If you need it sometimes, you’ll never know the new version is available for an update.

There are also some support libraries that will be updated when this all gets fixed.

7

Does this issue affect people who’ve never set up cups? I think the last time I used a printer at home was about 2005.

8

I never had cups-browesed installed in the first place.

9

If it aint running. Then you aren’t affected.

1 Like
10

when a print job is started (from that computer).

So someone would have to have access to your computer… Nasty, but would not affect most of us at home.

1 Like
11

Also not an expert, but shouldn’t the command be sudo firewall-cmd --remove-port=631/udp --permanent so changes persist? Changes not made permanent will not persist across reloads, so if I am not mistaken, after running sudo firewall-cmd --reload the firewall will be open again in your version :thinking:

1 Like
12

If you have cups-remoted not installed, you are fine.

Something else that I think is worth mentioning is that by default EndeavourOS doesn’t install this service and the solution to this whole thing is benign, in my opinion. We shall see how it progresses, but the amount of effort required by an attacker seems to be a large enough pain in the bottom to pull off.

I think one possible solution for this is:

  1. Don’t automatically scan for new printers every single network adapter;
  2. Allow the user to scan for printers on the network when they request to do so;
  3. Notify the user in some way when a new printer is available.
1 Like
13

Is there a simple good alternative to CUPS?
I am looking for a simple UI app that can find and setup my printer without using website.

14

Sadly, it seems no. CUPS is the most modern and up-to-date printer system on Linux, BSD and even MacOS. I honestly wouldn’t be so scared about this if you don’t have cups-browsed installed, which on EndeavourOS seems to be uninstalled by default.

15

Thanks all, for the heads up and making clear what i can do the check and mitigate.
Much appreciated!

16

for those like me who need not read first thing in the morning :sunglasses:

1 Like
17

I noticed an update this morning for cups-browsed. My system has it installed but not running.

18

Just checked and I saw it today - I assume it’s a coincidence, and not a fix already?

19

Exactly my question. . . . I noticed the files updating this morning also. . . so what is now the status?

Rich;)

20

So I went to the arch repos and from there found the git for cups-browserd - there was a commit 3 hours ago referring to the vulnerability: https://gitlab.archlinux.org/archlinux/packaging/packages/cups-browsed/-/commit/4e5ddd505a67a91502381304db11862522178053

Looking at it now, not sure what it’s doing exactly
It adds a CVE-2024-47176.patch that makes the service not listen to cups protocol, apparently. It has the following comment:

Works around CVE-2024-47176, the fix will be complete removal of CUPS
Browsing functionality
4 Likes