H3-2024-0052¶

CUPS-browsed Server Side Request Forgery Vulnerability

Description¶

The cups-browsed service has an SSRF vulnerability (H3-2024-0052) that allows remote attackers to trigger malicious IPP requests to an attacker-controlled URL. This vulnerability can lead to the addition of a printer that could be exploited via other vulnerabilities to achieve Remote Code Execution (RCE). Specifically, it abuses vulnerabilities in the CUPS system (such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177) where inadequate validation and sanitization of IPP attributes allow attacker-controlled data to be injected into PPD files, ultimately leading to arbitrary command execution. Additionally, the callback to the attacker-controlled URL results in information disclosure about the Linux system. This vulnerability abuses the same issue in CUPS as CVE-2024-47176.

Impact¶

A remote attacker can exploit this to replace or add printer URLs, enabling arbitrary command execution when print jobs are initiated, affecting numerous Unix-based systems.

References¶

• Attacking UNIX Systems via CUPS, Part I
• Ubuntu CUPS Remote Code Execution Vulnerability Fix Available
• Red Hat's response to OpenPrinting CUPS vulnerabilities
• NVD: CVE-2024-47176
• Metasploit: CUPS IPP Attributes LAN Remote Code Execution
• Nuclei: CUPS - Remote Code Execution