{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-47176", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-09-19T22:32:11.962Z", "datePublished": "2024-09-26T21:13:05.913Z", "dateUpdated": "2024-10-02T19:16:51.368Z"}, "containers": {"cna": {"title": "cups-browsed binds to `INADDR_ANY:631`, trusting any packet from any source", "problemTypes": [{"descriptions": [{"cweId": "CWE-1327", "lang": "en", "description": "CWE-1327: Binding to an Unrestricted IP Address", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8"}, {"name": "https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47", "tags": ["x_refsource_MISC"], "url": "https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47"}, {"name": "https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5", "tags": ["x_refsource_MISC"], "url": "https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5"}, {"name": "https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6", "tags": ["x_refsource_MISC"], "url": "https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6"}, {"name": "https://github.com/OpenPrinting/cups-browsed/blob/master/daemon/cups-browsed.c#L13992", "tags": ["x_refsource_MISC"], "url": "https://github.com/OpenPrinting/cups-browsed/blob/master/daemon/cups-browsed.c#L13992"}, {"name": "https://www.cups.org", "tags": ["x_refsource_MISC"], "url": "https://www.cups.org"}, {"name": "https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I", "tags": ["x_refsource_MISC"], "url": "https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I"}], "affected": [{"vendor": "OpenPrinting", "product": "cups-browsed", "versions": [{"version": "<= 2.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-10-02T19:16:51.368Z"}, "descriptions": [{"lang": "en", "value": "CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to."}], "source": {"advisory": "GHSA-rj88-6mr5-rcw8", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-09-27T19:39:10.340Z"}, "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/09/27/6"}, {"url": "https://github.com/OpenPrinting/cups-browsed/commit/1debe6b140c37e0aa928559add4abcc95ce54aa2"}], "title": "CVE Program Container", "x_generator": {"engine": "ADPogram 0.0.1"}}, {"affected": [{"vendor": "openprinting", "product": "cups", "cpes": ["cpe:2.3:a:openprinting:cups:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.0.1", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-27T18:10:15.456578Z", "id": "CVE-2024-47176", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-27T18:13:04.491Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/09/27/6"}, {"url": "https://github.com/OpenPrinting/cups-browsed/commit/1debe6b140c37e0aa928559add4abcc95ce54aa2"}], "x_generator": {"engine": "ADPogram 0.0.1"}, "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-09-27T19:39:10.340Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-47176", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-27T18:10:15.456578Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:openprinting:cups:*:*:*:*:*:*:*:*"], "vendor": "openprinting", "product": "cups", "versions": [{"status": "affected", "version": "2.0.1"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-27T18:12:36.330Z"}}], "cna": {"title": "cups-browsed binds to `INADDR_ANY:631`, trusting any packet from any source", "source": {"advisory": "GHSA-rj88-6mr5-rcw8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "OpenPrinting", "product": "cups-browsed", "versions": [{"status": "affected", "version": "<= 2.0.1"}]}], "references": [{"url": "https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8", "name": "https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47", "name": "https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5", "name": "https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6", "name": "https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/OpenPrinting/cups-browsed/blob/master/daemon/cups-browsed.c#L13992", "name": "https://github.com/OpenPrinting/cups-browsed/blob/master/daemon/cups-browsed.c#L13992", "tags": ["x_refsource_MISC"]}, {"url": "https://www.cups.org", "name": "https://www.cups.org", "tags": ["x_refsource_MISC"]}, {"url": "https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I", "name": "https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1327", "description": "CWE-1327: Binding to an Unrestricted IP Address"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-10-02T19:16:51.368Z"}}}, "cveMetadata": {"cveId": "CVE-2024-47176", "state": "PUBLISHED", "dateUpdated": "2024-10-02T19:16:51.368Z", "dateReserved": "2024-09-19T22:32:11.962Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-09-26T21:13:05.913Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to."}, {"lang": "es", "value": "CUPS es un sistema de impresi\u00f3n de c\u00f3digo abierto basado en est\u00e1ndares, y `cups-browsed` contiene funcionalidades de impresi\u00f3n en red que incluyen, entre otras, servicios de impresi\u00f3n de detecci\u00f3n autom\u00e1tica e impresoras compartidas. `cups-browsed` se vincula a `INADDR_ANY:631`, lo que hace que conf\u00ede en cualquier paquete de cualquier origen, y puede provocar la solicitud IPP `Get-Printer-Attributes` a una URL controlada por el atacante. Debido a la vinculaci\u00f3n del servicio a `*:631 ( INADDR_ANY )`, se pueden explotar varios errores en `cups-browsed` en secuencia para introducir una impresora maliciosa en el sistema. Esta cadena de exploits finalmente permite a un atacante ejecutar comandos arbitrarios de forma remota en la m\u00e1quina de destino sin autenticaci\u00f3n cuando se inicia un trabajo de impresi\u00f3n. Esto plantea un riesgo de seguridad significativo en la red. Cabe destacar que esta vulnerabilidad es particularmente preocupante ya que se puede explotar desde Internet p\u00fablico, lo que potencialmente expone una gran cantidad de sistemas a ataques remotos si sus servicios CUPS est\u00e1n habilitados."}], "id": "CVE-2024-47176", "lastModified": "2024-11-21T09:39:28.853", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-09-26T22:15:04.497", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/OpenPrinting/cups-browsed/blob/master/daemon/cups-browsed.c#L13992"}, {"source": "security-advisories@github.com", "url": "https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8"}, {"source": "security-advisories@github.com", "url": "https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47"}, {"source": "security-advisories@github.com", "url": "https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5"}, {"source": "security-advisories@github.com", "url": "https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6"}, {"source": "security-advisories@github.com", "url": "https://www.cups.org"}, {"source": "security-advisories@github.com", "url": "https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/09/27/6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/OpenPrinting/cups-browsed/commit/1debe6b140c37e0aa928559add4abcc95ce54aa2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1327"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:7551", "cpe": "cpe:/o:redhat:rhel_aus:7.7", "package": "cups-filters-0:1.0.35-26.el7_7.3", "product_name": "Red Hat Enterprise Linux 7.7 Advanced Update Support", "release_date": "2024-10-02T00:00:00Z"}, {"advisory": "RHSA-2024:7553", "cpe": "cpe:/o:redhat:rhel_els:7", "package": "cups-filters-0:1.0.35-29.el7_9.3", "product_name": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date": "2024-10-02T00:00:00Z"}, {"advisory": "RHSA-2024:7463", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "cups-filters-0:1.20.0-35.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-10-01T00:00:00Z"}, {"advisory": "RHSA-2024:7461", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "cups-filters-0:1.20.0-19.el8_2.2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-10-01T00:00:00Z"}, {"advisory": "RHSA-2024:7504", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "cups-filters-0:1.20.0-24.el8_4.2", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-10-02T00:00:00Z"}, {"advisory": "RHSA-2024:7504", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "cups-filters-0:1.20.0-24.el8_4.2", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-10-02T00:00:00Z"}, {"advisory": "RHSA-2024:7504", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "cups-filters-0:1.20.0-24.el8_4.2", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-10-02T00:00:00Z"}, {"advisory": "RHSA-2024:7623", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "cups-filters-0:1.20.0-27.el8_6.3", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-10-03T00:00:00Z"}, {"advisory": "RHSA-2024:7623", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "cups-filters-0:1.20.0-27.el8_6.3", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-10-03T00:00:00Z"}, {"advisory": "RHSA-2024:7623", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "cups-filters-0:1.20.0-27.el8_6.3", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-10-03T00:00:00Z"}, {"advisory": "RHSA-2024:7462", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "cups-filters-0:1.20.0-29.el8_8.3", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-10-01T00:00:00Z"}, {"advisory": "RHSA-2024:7346", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "cups-filters-0:1.28.7-17.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-09-27T00:00:00Z"}, {"advisory": "RHSA-2024:7506", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "cups-filters-0:1.28.7-10.el9_0.2", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-10-02T00:00:00Z"}, {"advisory": "RHSA-2024:7503", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "cups-filters-0:1.28.7-11.el9_2.2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-10-02T00:00:00Z"}], "bugzilla": {"description": "cups-browsed: cups-browsed binds on UDP INADDR_ANY:631 trusting any packet from any source", "id": "2314252", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2314252"}, "csaw": true, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-940", "details": ["CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to.", "A security issue was found in OpenPrinting CUPS.\nThe function ppdCreatePPDFromIPP2 in the libppd library is responsible for generating a PostScript Printer Description (PPD) file based on attributes retrieved from an Internet Printing Protocol (IPP) response. Essentially, it takes printer information, usually obtained via IPP, and creates a corresponding PPD file that describes the printer's capabilities (such as supported media sizes, resolutions, color modes, etc.).\nPPD files are used by printing systems like CUPS (Common Unix Printing System) to communicate with and configure printers. They provide a standardized format that allows different printers to work with the printing system in a consistent way.\nA security issue was discovered in OpenPrinting CUPS. The `cups-browsed` component is responsible for discovering printers on a network and adding them to the system. In order to do so, the service uses two distinct protocols. For the first one, the service binds on all interfaces on UDP port 631 and accepts a custom packet from any untrusted source. This is exploitable from outside the LAN if the computer is exposed on the public internet. The service also listens for DNS-SD / mDNS advertisements trough AVAHI. In both cases, when a printer is discovered by either the UDP packet or mDNS, its IPP or IPPS url is automatically contacted by cups-browsed and a `Get-Printer-Attributes` request is sent to it which can leak potentially sensitive system information to an attacker via the User-Agent header."], "mitigation": {"lang": "en:us", "value": "See the security bulletin for a detailed mitigation procedure."}, "name": "CVE-2024-47176", "public_date": "2024-09-26T20:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-47176\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-47176\nhttps://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8\nhttps://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/"], "statement": "The cups-browsed service is disabled by default on all versions of RHEL.", "threat_severity": "Important"}