TL;DR: All variations of Red Hat Enterprise Linux (RHEL) are suffering from CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177, however aren’t inclined of their default configurations.

Red Hat has been made acutely aware of a bunch of vulnerabilities (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177) inside OpenPrinting CUPS, an open supply printing machine this is prevalent in most present Linux distributions, together with RHEL. Specifically, CUPS supplies equipment to control, uncover and proportion printers for Linux distributions. By chaining this staff of vulnerabilities in combination, an attacker may doubtlessly succeed in faraway code execution which might then result in robbery of delicate knowledge and/or harm to vital manufacturing programs.

Red Hat charges those problems with a severity have an effect on of Important. While all variations of RHEL are affected, you will need to observe that affected programs aren’t inclined of their default configuration. At this time, there are 4 CVEs assigned to those vulnerabilities, however the actual quantity remains to be being coordinated with the upstream neighborhood and the researcher who found out the issue.

Exploitation

Exploitation of those vulnerabilities is imaginable thru the next chain of occasions:

1. The cups-browsed provider has manually been enabled or began
2. An attacker has get right of entry to to a inclined server, which :
   1. Allows unrestricted get right of entry to, similar to the general public web, or
   2. Gains get right of entry to to an inner community the place native connections are depended on
3. Attacker advertises a malicious IPP server, thereby provisioning a malicious printer
4. A possible sufferer makes an attempt to print from the malicious tool
5. Attacker executes arbitrary code on sufferer’s device

Detection

Red Hat shoppers must use the next command to decide if cups-browsed is operating:

$ sudo systemctl standing cups-browsed

If the outcome contains “Active: inactive (dead)” then the exploit chain is halted and the machine isn’t inclined

If the result’s “running” or “enabled,”and the “BrowseRemoteProtocols” directive accommodates the price “cups” within the configuration document /and so on/cups/cups-browsed.conf, then the machine is inclined.

Mitigation

Mitigation of those vulnerabilities is as easy as operating two instructions, particularly in any atmosphere the place printing isn’t wanted.

To forestall a operating cups-browsed provider, an administrator must use the next command:

$ sudo  systemctl forestall cups-browsed

The cups-browsed provider can be avoided from beginning on reboot with:

$ sudo systemctl disable cups-browsed

Red Hat and the wider Linux neighborhood are recently operating on patches to handle those problems as neatly.

Acknowledgements

Red Hat wish to thank Simone “EvilSocket” Margaritelli for locating and reporting those vulnerabilities and Till Kamppeter (OpenPrinting) for added coordination improve.

For additional info

Read the Red Hat Security Bulletin on those vulnerabilities