The CUPS printing system is affected by a vulnerability that allows attackers with network access to the printing service to inject and execute malicious code. An updated version of the cups-filter package should fix the problem. Several Linux distributions are already shipping updated packages.
CUPS: high-risk vulnerability
As a rule, all users in the local network have these access rights, which are necessary for an attack. The cups-filter package contains backends, filters, and other software needed to get CUPS running on systems other than macOS, the bug report explains. If a printer that should be accessible from the network is created with the backend error handler (beh), this opens the vulnerability (CVE-2023-24805, CVSS 8.8Risk “hoch“).
The cause is insufficient filtering of parameters passed to the operating system. CUPS users should therefore update the software. If this is not yet possible, you should restrict access to such print servers.
The Backend Error Handler (beh) is designed to improve CUPS error handling. In the Linux Foundation Wiki, an author describes how the printer queue is normally deactivated after a communication error between the printer and the CUPS backend. This happens, for example, when users send a print job but the printer is still switched off – a rather common problem in the home. The users don’t see any feedback, only persistently non-functioning printers. Only an administrator can reactivate the printer queue, restarts, for example, do not help. The backend error handler can prevent this by simply not deactivating the printer queue.
Debian and Fedora already ship updated cups-filter packages. Other distributions are expected to follow shortly. IT managers should start the system’s software management, search for the updates and have them installed.
To home page