CVE-2023-24805
📋 TL;DR
CVE-2023-24805 is a command injection vulnerability in cups-filters' Backend Error Handler (beh) that allows remote code execution. Attackers with network access to vulnerable print servers can execute arbitrary system commands with server privileges. This affects systems using cups-filters with beh enabled for network printers on non-macOS operating systems.
💻 Affected Systems
- cups-filters
📦 What is this software?
Cups Filters by Linuxfoundation
Cups Filters by Linuxfoundation
Cups Filters by Linuxfoundation
Cups Filters by Linuxfoundation
Cups Filters by Linuxfoundation
Fedora by Fedoraproject
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root privileges, allowing attacker to install persistent backdoors, exfiltrate data, or pivot to other systems.
Likely Case
Printer server compromise leading to data theft, denial of service, or lateral movement within the network.
If Mitigated
Limited impact if network access is restricted and proper input validation is implemented.
🎯 Exploit Status
Exploitation is straightforward as shown in advisory. No authentication required for network-accessible printers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions containing commit 8f2740357 or later
Vendor Advisory: https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-gpxc-v2m8-fr3x
Restart Required: Yes
Instructions:
1. Update cups-filters package via system package manager. 2. Restart CUPS service: 'systemctl restart cups'. 3. Verify version contains fix commit.
🔧 Temporary Workarounds
Disable beh backend
linuxRemove or disable the beh backend to prevent exploitation
mv /usr/lib/cups/backend/beh /usr/lib/cups/backend/beh.disabled
systemctl restart cups
Network segmentation
linuxRestrict network access to print servers
iptables -A INPUT -p tcp --dport 631 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 631 -j DROP
🧯 If You Can't Patch
- Disable network printing or restrict to trusted IPs only
- Implement strict firewall rules blocking port 631 from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check if beh backend exists and cups-filters version is pre-fix: 'ls -la /usr/lib/cups/backend/beh' and 'rpm -q cups-filters' or 'dpkg -l cups-filters'Check Version:
rpm -q cups-filters --changelog | head -20 OR dpkg -l cups-filtersVerify Fix Applied:
Verify cups-filters version includes commit 8f2740357: 'strings /usr/lib/cups/backend/beh | grep 8f2740357' or check package changelog📡 Detection & Monitoring
Log Indicators:
- Unusual commands in CUPS error logs
- Suspicious process execution from cupsd
- Failed authentication attempts to printer backend
Network Indicators:
- Unexpected connections to port 631 from external IPs
- Suspicious payloads in print job requests
SIEM Query:
source="cups_access.log" OR source="cups_error.log" | search "beh" OR "system(" OR command injection patterns🔗 References
- https://github.com/OpenPrinting/cups-filters/commit/8f274035756c04efeb77eb654e9d4c4447287d65
- https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-gpxc-v2m8-fr3x
- https://lists.debian.org/debian-lts-announce/2023/05/msg00021.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KL2SJMZQ5T5JIH3PMQ2CGCY5TUUE255Y/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNCGL2ZTAS2GFF23QFT55UFWIDMI4ZJK/
- https://security.gentoo.org/glsa/202401-06
- https://www.debian.org/security/2023/dsa-5407
- https://github.com/OpenPrinting/cups-filters/commit/8f274035756c04efeb77eb654e9d4c4447287d65
- https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-gpxc-v2m8-fr3x
- https://lists.debian.org/debian-lts-announce/2023/05/msg00021.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KL2SJMZQ5T5JIH3PMQ2CGCY5TUUE255Y/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNCGL2ZTAS2GFF23QFT55UFWIDMI4ZJK/
- https://security.gentoo.org/glsa/202401-06
- https://www.debian.org/security/2023/dsa-5407
