Amazon Linux 2023 Security Advisory: ALAS-2024-723
Advisory Release Date: 2024-10-10 03:02 Pacific
Advisory Updated Date: 2024-11-13 12:28 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
2024-11-13: CVE-2024-47850 was added to this advisory.
CUPS is a standards-based, open-source printing system, and `libcupsfilters` contains the code of the filters of the former `cups-filters` package as library functions to be used for the data format conversion tasks needed in Printer Applications. The `cfGetPrinterAttributes5` function in `libcupsfilters` does not sanitize IPP attributes returned from an IPP server. When these IPP attributes are used, for instance, to generate a PPD file, this can lead to attacker controlled data to be provided to the rest of the CUPS system. (CVE-2024-47076)
CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP request to an attacker controlled URL.
Due to the service binding to `*:631 ( INADDR_ANY )`, multiple bugs in `cups-browsed` can be exploited in sequence to introduce a malicious printer to the system. This chain of exploits ultimately enables an attacker to execute arbitrary commands remotely on the target machine without authentication when a print job is started. This poses a significant security risk over the network. Notably, this vulnerability is particularly concerning as it can be exploited from the public internet, potentially exposing a vast number of systems to remote attacks if their CUPS services are enabled. (CVE-2024-47176)
CUPS cups-browsed before 2.5b1 will send an HTTP POST request to an arbitrary destination and port in response to a single IPP UDP packet requesting a printer to be added, a different vulnerability than CVE-2024-47176. (The request is meant to probe the new printer but can be used to create DDoS amplification attacks.) (CVE-2024-47850)
Affected Packages:
cups-filters
Issue Correction:
Run dnf update cups-filters --releasever 2023.6.20241010 to update your system.
aarch64:
cups-filters-libs-debuginfo-1.28.16-3.amzn2023.0.3.aarch64
cups-filters-debugsource-1.28.16-3.amzn2023.0.3.aarch64
cups-filters-devel-1.28.16-3.amzn2023.0.3.aarch64
cups-filters-libs-1.28.16-3.amzn2023.0.3.aarch64
cups-filters-debuginfo-1.28.16-3.amzn2023.0.3.aarch64
cups-filters-1.28.16-3.amzn2023.0.3.aarch64
src:
cups-filters-1.28.16-3.amzn2023.0.3.src
x86_64:
cups-filters-libs-debuginfo-1.28.16-3.amzn2023.0.3.x86_64
cups-filters-libs-1.28.16-3.amzn2023.0.3.x86_64
cups-filters-devel-1.28.16-3.amzn2023.0.3.x86_64
cups-filters-debuginfo-1.28.16-3.amzn2023.0.3.x86_64
cups-filters-debugsource-1.28.16-3.amzn2023.0.3.x86_64
cups-filters-1.28.16-3.amzn2023.0.3.x86_64