cups, cups-filters and libppd security issues

A series of vulnerabilities have been found in cups-browsed and cups-filters allowing for unauthenticated remote code execution.

The upstream advisories are

• CVE-2024-47176 in cups-browsed,
• CVE-2024-47175 in libppd,
• CVE-2024-47076 in libcupsfilters and
• CVE-2024-47177 in cups-filter.

The write-up from the security researcher that reported the issues: Attacking UNIX systems via CUPS, Part I.

This post serves as a way to inform the community about our progress on mitigating and fixing the issues.

Am I affected?

You are affected, if you have enabled both cups and Avahi in your NixOS configuration through:

• services.printing.enable
• services.avahi.enable

You can quickly check if cups-browsed is enabled with systemctl is-enabled cups-browsed.service.

Workaround

Disable browsed entirely through its avahi dependency

If it is acceptable in your environment, you can disable services.avahi.enable which will disable the cups-browsed service entirely.

Disable the browsed systemd service

If you need to keep Avahi, you can disable the cups-browsed systemd service specifically with:

systemd.services.cups-browsed = {
  enable = false;
  unitConfig.Mask = true;
}

A new option has also been added to control browsed independently from Avahi: services.printing.browsed.enable. The option might not yet be available in your situation, see:

• NixOS unstable: nixos/printing: add option to disable browsed daemon by LeSuisse · Pull Request #344702 · NixOS/nixpkgs · GitHub (PR progress tracker)
• NixOS 24.05: [Backport release-24.05] nixos/printing: add option to disable browsed daemon by github-actions[bot] · Pull Request #344711 · NixOS/nixpkgs · GitHub (PR progress tracker)

Patches

For CVE-2024-47176 in cups-browsed (NixOS is not vulnerable with the default configuration):

• NixOS unstable: cups-filters: remove support for legacy CUPS browsing and for LDAP by LeSuisse · Pull Request #347168 · NixOS/nixpkgs · GitHub (PR progress tracker)

For CVE-2024-47076 in libcupsfilters:

• NixOS unstable: cups-filters: apply patch for CVE-2024-47076 by LeSuisse · Pull Request #344748 · NixOS/nixpkgs · GitHub (PR progress tracker)
• NixOS 24.05: [Backport release-24.05] cups-filters: apply patch for CVE-2024-47076 by github-actions[bot] · Pull Request #344833 · NixOS/nixpkgs · GitHub (PR progress tracker)

For CVE-2024-47175 in libppd:

• NixOS unstable: cups: apply patches for CVE-2024-47175 by LeSuisse · Pull Request #344919 · NixOS/nixpkgs · GitHub (PR progress tracker)
• NixOS 24.05: [24.05] cups: apply patches for CVE-2024-47175 by LeSuisse · Pull Request #345101 · NixOS/nixpkgs · GitHub (PR progress tracker)

For those in a hurry: you can quickly check whether a host is affected with systemctl is-enabled cups-browsed.service. If not found, you’re good.

Further TL;DR;: there are two entry points to target this service: a direct one when UDP port 631 is exposed, and an indirect one by spoofing discovery/advertisement. Having cups-browsed behind a firewall is therefore not enough to be safe due to that second path.

A base configuration on NixOS with just CUPS (services.printing.enable alone) is not affected.

(Those are my quick notes, please correct if wrong.)