CVE-2024-47175
📋 TL;DR
CVE-2024-47175 is a vulnerability in CUPS libppd where the ppdCreatePPDFromIPP2 function fails to sanitize IPP attributes when creating PPD buffers. This allows user-controlled input that can lead to code execution via Foomatic when combined with other functions like cfGetPrinterAttributes5. Systems using CUPS with libppd for legacy PPD file support are affected.
💻 Affected Systems
- CUPS
- cups-browsed
- cups-filters
- libcupsfilters
- libppd
📦 What is this software?
Libppd by Openprinting
Libppd by Openprinting
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to full system compromise, potentially as part of an exploit chain with CVE-2024-47176.
Likely Case
Local privilege escalation or limited code execution in printing-related contexts.
If Mitigated
Denial of service or information disclosure if exploitation is partially blocked.
🎯 Exploit Status
Exploitation requires chaining with other functions and potentially CVE-2024-47176 for full RCE.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check respective GitHub security advisories for specific fixed versions
Vendor Advisory: https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6
Restart Required: Yes
Instructions:
1. Update CUPS and related packages through your distribution's package manager. 2. Restart CUPS service and any dependent printing services. 3. Verify the update applied successfully.
🔧 Temporary Workarounds
Disable legacy PPD support
linuxDisable libppd usage and legacy PPD file support if not required
# Configure CUPS to use IPP Everywhere instead of PPD
# Remove or disable cups-filters PPD-related components
🧯 If You Can't Patch
- Restrict network access to CUPS services to trusted networks only
- Implement strict input validation and sanitization for printing-related services
🔍 How to Verify
Check if Vulnerable:
Check installed versions of cups, cups-filters, libcupsfilters, and libppd against security advisoriesCheck Version:
dpkg -l | grep -E '(cups|cups-filters|libcupsfilters|libppd)' || rpm -qa | grep -E '(cups|cups-filters|libcupsfilters|libppd)'Verify Fix Applied:
Verify package versions match or exceed fixed versions listed in security advisories📡 Detection & Monitoring
Log Indicators:
- Unusual PPD file creation or parsing errors
- IPP attribute manipulation attempts in CUPS logs
Network Indicators:
- Suspicious IPP protocol traffic to CUPS ports (typically 631)
SIEM Query:
source="cups" AND ("ppdCreatePPDFromIPP2" OR "IPP attribute" OR "PPD buffer")🔗 References
- https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8
- https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47
- https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5
- https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6
- https://www.cups.org
- https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I
- http://www.openwall.com/lists/oss-security/2024/09/27/3
- https://github.com/OpenPrinting/libppd/commit/d681747ebf12602cb426725eb8ce2753211e2477
- https://lists.debian.org/debian-lts-announce/2024/09/msg00047.html
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0016
- https://security.netapp.com/advisory/ntap-20241011-0001/
