SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2024-47176

CVE-2024-47176: CUPS cups-browsed RCE Vulnerability

CVE-2024-47176 is a remote code execution vulnerability in CUPS cups-browsed that allows unauthenticated attackers to execute arbitrary commands when combined with related flaws. This article covers technical details, impact, and mitigation.

Updated:

CVE-2024-47176 Overview

CUPS is a standards-based, open-source printing system, and cups-browsed contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. cups-browsed binds to INADDR_ANY:631, causing it to trust any packet from any source, and can cause the Get-Printer-Attributes IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to.

Critical Impact

This vulnerability can enable remote attackers to execute arbitrary commands without authentication by leveraging a malicious IPP request to a compromised URL.

Affected Products

  • openprinting cups-browsed

Discovery Timeline

  • Not Available - Vulnerability discovered by Not Available
  • Not Available - Responsible disclosure to openprinting
  • Not Available - CVE CVE-2024-47176 assigned
  • Not Available - openprinting releases security patch
  • 2024-09-26 - CVE CVE-2024-47176 published to NVD
  • 2025-11-04 - Last updated in NVD database

Technical Details for CVE-2024-47176

Vulnerability Analysis

This vulnerability arises due to cups-browsed listening on INADDR_ANY:631 without adequate validation of source IPs. The system incorrectly trusts incoming packets, allowing attackers to manipulate the Get-Printer-Attributes request to execute malicious activities remotely.

Root Cause

The root cause is improper network binding and trust relationships set within cups-browsed, allowing untrusted packets to be processed as legitimate requests.

Attack Vector

The attack is executed over the network by sending specially crafted IPP requests to the affected service running on the target machine.

c
// Example exploitation code (sanitized)
#include <stdio.h>
int main() {
    printf("Exploiting CVE-2024-47176 via IPP request\n");
    // Craft and send malicious IPP request logic
    return 0;
}

Detection Methods for CVE-2024-47176

Indicators of Compromise

  • Unusual IPP request logs
  • Unexpected system behavior when interacting with network printers
  • Logs from unfamiliar IP addresses attempting to interact with printers

Detection Strategies

Utilize IDS/IPS systems to monitor and alert on anomalous IPP requests, especially those aimed at port 631. Employ network logging to track unauthorized attempts at accessing printing services.

Monitoring Recommendations

Continuously monitor logs for cups-browsed and correlate network activity with access attempts from external IP addresses, focusing on IPP traffic anomalies.

How to Mitigate CVE-2024-47176

Immediate Actions Required

  • Restrict cups-browsed access to known IP ranges
  • Monitor for suspicious IPP traffic
  • Regularly update printing software and system packages

Patch Information

Apply the official patch provided by OpenPrinting, available at OpenPrinting Cups-browsed Commit.

Workarounds

As a temporary measure, consider disabling network printing through cups-browsed and use firewall rules to restrict access.

bash
# Configuration example
sudo iptables -A INPUT -p tcp --dport 631 -s <trusted-ip> -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 631 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne