CUPS is a standards-based, open-source printing system, and cups-browsed contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. cups-browsed binds to INADDR_ANY:631, causing it to trust any packet from any source, and can cause the Get-Printer-Attributes IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to.
Weakness
The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Cups-browsed | Openprinting | 2.0.1 (including) | 2.0.1 (including) |
| Red Hat Enterprise Linux 7.7 Advanced Update Support | RedHat | cups-filters-0:1.0.35-26.el7_7.3 | * |
| Red Hat Enterprise Linux 7 Extended Lifecycle Support | RedHat | cups-filters-0:1.0.35-29.el7_9.3 | * |
| Red Hat Enterprise Linux 8 | RedHat | cups-filters-0:1.20.0-35.el8_10 | * |
| Red Hat Enterprise Linux 8.2 Advanced Update Support | RedHat | cups-filters-0:1.20.0-19.el8_2.2 | * |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | RedHat | cups-filters-0:1.20.0-24.el8_4.2 | * |
| Red Hat Enterprise Linux 8.4 Telecommunications Update Service | RedHat | cups-filters-0:1.20.0-24.el8_4.2 | * |
| Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions | RedHat | cups-filters-0:1.20.0-24.el8_4.2 | * |
| Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | RedHat | cups-filters-0:1.20.0-27.el8_6.3 | * |
| Red Hat Enterprise Linux 8.6 Telecommunications Update Service | RedHat | cups-filters-0:1.20.0-27.el8_6.3 | * |
| Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions | RedHat | cups-filters-0:1.20.0-27.el8_6.3 | * |
| Red Hat Enterprise Linux 8.8 Extended Update Support | RedHat | cups-filters-0:1.20.0-29.el8_8.3 | * |
| Red Hat Enterprise Linux 9 | RedHat | cups-filters-0:1.28.7-17.el9_4 | * |
| Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions | RedHat | cups-filters-0:1.28.7-10.el9_0.2 | * |
| Red Hat Enterprise Linux 9.2 Extended Update Support | RedHat | cups-filters-0:1.28.7-11.el9_2.2 | * |
| Cups-browsed | Ubuntu | devel | * |
| Cups-browsed | Ubuntu | noble | * |
| Cups-filters | Ubuntu | esm-infra/bionic | * |
| Cups-filters | Ubuntu | esm-infra/focal | * |
| Cups-filters | Ubuntu | esm-infra/xenial | * |
| Cups-filters | Ubuntu | focal | * |
| Cups-filters | Ubuntu | jammy | * |
Extended Description
When a server binds to the address 0.0.0.0, it allows connections from every IP address on the local machine, effectively exposing the server to every possible network. This might be much broader access than intended by the developer or administrator, who might only be expecting the server to be reachable from a single interface/network.
Potential Mitigations
Related Attack Patterns
References
- https://github.com/OpenPrinting/cups-browsed/blob/master/daemon/cups-browsed.c#L13992
- https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8
- https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47
- https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5
- https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6
- https://www.cups.org
- https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I
- http://www.openwall.com/lists/oss-security/2024/09/27/6
- http://www.openwall.com/lists/oss-security/2025/09/11/2
- https://github.com/OpenPrinting/cups-browsed/commit/1debe6b140c37e0aa928559add4abcc95ce54aa2
- https://lists.debian.org/debian-lts-announce/2024/09/msg00048.html
- https://security.netapp.com/advisory/ntap-20241011-0001/