ISN 2024-19: CUPS Vulnerabilities

First published 31 October 2024

CVSS 3.1: 7.8 (High)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Critical and high-security vulnerabilities have been found in CUPS 2.x, which is used in IGEL OS. These affect the following IGEL products:

• IGEL OS 12

• IGEL OS 11

Details

CUPS is a standards-based, open-source printing system, and cups-filters provides backends, filters, and other software for CUPS 2.x to use on non-Mac OS systems.

In IGEL OS we are affected by CVE-2024-47177 : Any value passed to ‘FoomaticRIPCommandLine’ via a PPD file will be executed as a user-controlled command. However, we are not affected by the public exploit which utilizes CVE-2024-47176 as we don’t use 'cups-browsed' by default. As the attack chain is already interrupted by not using 'cups-browsed’ and remote protocol, CVE-2024-47175 is mitigated.

Update Instructions

• OS 12: Update to IGEL OS version 12.5.1 when available in November.

• OS 11: Update to IGEL OS version 11.10.210 available in November.

References

• CVE-2024-47177 https://nvd.nist.gov/vuln/detail/CVE-2024-47177

• CVE-2024-47175 https://nvd.nist.gov/vuln/detail/CVE-2024-47175

• CVE-2024-35235 https://nvd.nist.gov/vuln/detail/CVE-2024-35235

• CVE-2024-47176 https://nvd.nist.gov/vuln/detail/CVE-2024-47176

• CVE-2024-47076 https://nvd.nist.gov/vuln/detail/CVE-2024-47076