This objective of this post is to show you how to protect your Linux machine(s) against several security bugs or vulnerabilities that can allow an attacker to execute arbitrary commands remotely on the target machine without authentication when a print job is started. So the vulnerabilities all affect CUPS, the Common Unix Printing System, which is responsible for handling printing on your computer, and were first reported and published as CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177 by Simone “EvilSocket” Margaritelli.
There are 2 CUPS services or daemons that run on your Linux machine – cups and cups-browsed. The former is the main CUPS scheduler, while the latter makes it possible for your local machine to print to remote CUPS printers. That makes it the primary target of these vulnerabilities, in particular CVE-2024-47176,
Out of the box, it is highly likely that cups and cups-browsed are active and running on your Linux machine. I know it is on Linux Mint, and also Ubuntu, since Mint is based on Ubuntu. So in the following sections, you’ll learn how to disable cups-browsed, and also cups if you don’t do any printing. Keep in mind that no fix has been published yet for the aforementioned vulnerabilities.
Stop and disable cups-browsed
The first thing to do is to find out if the cups-browsed service is running. To do that, type the command given below. The expected output is below it:
# Output of "sudo systemctl status cups-browsed"
#
cups-browsed.service - Make remote CUPS printers available locally
Loaded: loaded (/lib/systemd/system/cups-browsed.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2024-09-28 00:00:11 CDT; 4h 8min ago
Main PID: 2660689 (cups-browsed)
Tasks: 3 (limit: 12985)
Memory: 2.9M
CGroup: /system.slice/cups-browsed.service
└─2660689 /usr/sbin/cups-browsed
If the line that starts with Active in the expected output is followed by active (running), then cups-browsed needs to be stopped and disabled. To stop it now, type the following command:
# use this command to stop the cups-browsed service
#
sudo systemctl stop cups-browsed
To make sure that it never restarts when you reboot the computer, it has to be disabled. To do that, type the following command:
# use this command to disable the cups-browsed service
#
sudo systemctl disable cups-browsed
Stop and disable cups
I don’t do any printing at home , so if you’re like me, then it’s perfectly fine to also stop and disable cups, the main CUPS scheduler. To stop it, type the following command:
# use this command to stop the cups daemon
#
sudo systemctl stop cups
To make sure that it never restarts when you reboot the computer, it also has to be disabled. To do that, type the following command:
# use this command to disable the cups daemon
#
sudo systemctl disable cups
All that should help protect your Linux machine(s) from published CUPS-related vulnerabilities until fixes are published.