CVE-2024-47850 Overview
CVE-2024-47850 affects CUPS cups-browsed versions before 2.5b1. The service sends an HTTP POST request to an attacker-chosen destination and port after receiving a single Internet Printing Protocol (IPP) UDP packet that requests a new printer be added. Attackers exploit this behavior to create Distributed Denial of Service (DDoS) amplification attacks by spoofing the source address of the triggering packet. The flaw is distinct from CVE-2024-47176, which addressed related issues in the same component. The weakness is categorized as Uncontrolled Resource Consumption [CWE-400].
Critical Impact
A single spoofed UDP packet causes cups-browsed to emit an HTTP POST request to an arbitrary host, enabling reflection and amplification-based DDoS attacks against third-party targets.
Affected Products
- OpenPrinting CUPS cups-browsed versions prior to 2.5b1
- Linux distributions shipping vulnerable cups-browsed packages
- NetApp products referencing the upstream CUPS component per advisory NTAP-20241011-0002
Discovery Timeline
- 2024-10-04 - CVE-2024-47850 published to the National Vulnerability Database (NVD)
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-47850
Vulnerability Analysis
cups-browsed listens on UDP port 631 for IPP browse packets that advertise printers on the network. When the daemon receives such a packet, it parses the announced printer URI and issues an outbound HTTP POST request to probe the device. The destination host and port are taken from attacker-controlled fields without validation. An attacker on the network sends a crafted IPP UDP packet containing a target IP address and port. The daemon responds by generating a larger HTTP request directed at that target. Because UDP source addresses can be spoofed, the requester is decoupled from the receiver of the probe traffic. The asymmetry between the small UDP trigger and the larger HTTP probe yields amplification, and the high availability impact reflects the resulting denial of service against the chosen victim. See the GitHub Security Advisory GHSA-rq86-c7g6-r2h8 for upstream technical context.
Root Cause
The root cause is missing validation and rate-limiting on the destination of probe requests generated from IPP browse packets. cups-browsed trusts the URI in the inbound packet and issues outbound HTTP traffic to any host and port specified, with no allowlist, no source verification, and no throttle on repeated requests.
Attack Vector
The attack vector is network-based and unauthenticated. An attacker sends one or more IPP UDP packets with a spoofed source address and a printer URI that points at the intended DDoS victim. Each packet causes cups-browsed to generate a TCP HTTP POST request toward the victim. Mass exploitation across many exposed CUPS hosts produces aggregated reflected traffic. The Akamai analysis of the October CUPS DDoS threat documents the amplification potential of the broader cups-browsed issue.
No verified public proof-of-concept code is referenced in the advisory data. Refer to the OpenWall oss-security discussion and the OpenPrinting CUPS repository for upstream technical detail.
Detection Methods for CVE-2024-47850
Indicators of Compromise
- Unexpected outbound HTTP POST requests from hosts running cups-browsed to non-printer IP addresses or non-standard ports.
- Inbound IPP browse packets on UDP/631 from external or untrusted networks, particularly with printer URIs referencing third-party hosts.
- Spikes in cups-browsed process activity or connection counts correlated with inbound UDP/631 traffic.
Detection Strategies
- Monitor UDP/631 ingress on Linux servers and workstations and flag traffic sourced from outside the print management subnet.
- Correlate inbound IPP packets with subsequent outbound HTTP POST requests from the same host to identify reflection behavior.
- Inspect cups-browsed logs for entries showing printer discovery probes directed at unusual destinations.
Monitoring Recommendations
- Add network detection rules for IPP browse packets from non-RFC1918 sources targeting UDP/631.
- Track outbound HTTP request volumes per host to identify reflection patterns consistent with DDoS amplification.
- Alert on cups-browsed initiating connections to IP addresses outside an approved printer inventory.
How to Mitigate CVE-2024-47850
Immediate Actions Required
- Upgrade cups-browsed to version 2.5b1 or later, or apply distribution backports referenced in vendor advisories such as NetApp NTAP-20241011-0002.
- Block inbound UDP/631 at perimeter firewalls and restrict it to trusted print management VLANs internally.
- Stop and disable cups-browsed on systems that do not require automatic printer discovery.
Patch Information
The fix is included in cups-browsed 2.5b1 and tracked in the OpenPrinting project. Review the GitHub Security Advisory GHSA-rq86-c7g6-r2h8 for the corrected source and the OpenPrinting CUPS repository for commit history. Apply vendor packages from your Linux distribution once available.
Workarounds
- Disable the cups-browsed service with systemctl disable --now cups-browsed where automatic printer discovery is not required.
- Restrict UDP/631 ingress using host firewalls such as iptables or nftables to allow only known print servers.
- Set BrowseRemoteProtocols none in /etc/cups/cups-browsed.conf to suppress processing of remote browse packets.
# Configuration example
sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed
# Or restrict inbound IPP browse traffic at the host firewall
sudo iptables -A INPUT -p udp --dport 631 ! -s 10.0.0.0/8 -j DROP
# Or harden cups-browsed by disabling remote browse processing
echo 'BrowseRemoteProtocols none' | sudo tee -a /etc/cups/cups-browsed.conf
sudo systemctl restart cups-browsed
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
