TL;DR: All variations of Red Hat Enterprise Linux (RHEL) are suffering from CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177, however don’t seem to be susceptible of their default configurations.

Red Hat has been made conscious about a gaggle of vulnerabilities (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177) inside OpenPrinting CUPS, an open supply printing machine this is prevalent in most present Linux distributions, together with RHEL. Specifically, CUPS supplies equipment to control, uncover and proportion printers for Linux distributions. By chaining this crew of vulnerabilities in combination, an attacker may doubtlessly reach far flung code execution which might then result in robbery of delicate information and/or injury to important manufacturing techniques.

Red Hat charges those problems with a severity affect of Important. While all variations of RHEL are affected, it is very important observe that affected programs don’t seem to be susceptible of their default configuration. At this time, there are 4 CVEs assigned to those vulnerabilities, however the precise quantity remains to be being coordinated with the upstream neighborhood and the researcher who found out the issue.

Exploitation

Exploitation of those vulnerabilities is imaginable via the next chain of occasions:

1. The cups-browsed carrier has manually been enabled or began
2. An attacker has get admission to to a susceptible server, which :
   1. Allows unrestricted get admission to, corresponding to the general public web, or
   2. Gains get admission to to an interior community the place native connections are depended on
3. Attacker advertises a malicious IPP server, thereby provisioning a malicious printer
4. A possible sufferer makes an attempt to print from the malicious software
5. Attacker executes arbitrary code on sufferer’s system

Detection

Red Hat shoppers will have to use the next command to decide if cups-browsed is working:

$ sudo systemctl standing cups-browsed

If the end result contains “Active: inactive (dead)” then the exploit chain is halted and the machine isn’t susceptible

If the result’s “running” or “enabled,”and the “BrowseRemoteProtocols” directive comprises the worth “cups” within the configuration document /and so on/cups/cups-browsed.conf, then the machine is susceptible.

Mitigation

Mitigation of those vulnerabilities is as easy as working two instructions, particularly in any atmosphere the place printing isn’t wanted.

To forestall a working cups-browsed carrier, an administrator will have to use the next command:

$ sudo  systemctl forestall cups-browsed

The cups-browsed carrier can be avoided from beginning on reboot with:

$ sudo systemctl disable cups-browsed

Red Hat and the wider Linux neighborhood are these days running on patches to handle those problems as smartly.

Acknowledgements

Red Hat want to thank Simone “EvilSocket” Margaritelli for locating and reporting those vulnerabilities and Till Kamppeter (OpenPrinting) for added coordination toughen.

For additional info

Read the Red Hat Security Bulletin on those vulnerabilities