CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
28.0%
Security Advisory Description
libcupsfilters
contains the code of the filters of the former cups-filters
package as library functions to be used for the data format conversion tasks needed in Printer Applications. The cfGetPrinterAttributes5
function in libcupsfilters
does not sanitize IPP attributes returned from an IPP server. When these IPP attributes are used, for instance, to generate a PPD file, this can lead to attacker controlled data to be provided to the rest of the CUPS system.libppd
can be used for legacy PPD file support. The libppd
function ppdCreatePPDFromIPP2
does not sanitize IPP attributes when creating the PPD buffer. When used in combination with other functions such as cfGetPrinterAttributes5
, can result in user controlled input and ultimately code execution via Foomatic. This vulnerability can be part of an exploit chain leading to remote code execution (RCE), as described in CVE-2024-47176.cups-browsed
contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. cups-browsed
binds to INADDR_ANY:631
, causing it to trust any packet from any source, and can cause the Get-Printer-Attributes
IPP request to an attacker controlled URL. Due to the service binding to *:631 ( INADDR_ANY )
, multiple bugs in cups-browsed
can be exploited in sequence to introduce a malicious printer to the system. This chain of exploits ultimately enables an attacker to execute arbitrary commands remotely on the target machine without authentication when a print job is started. This poses a significant security risk over the network. Notably, this vulnerability is particularly concerning as it can be exploited from the public internet, potentially exposing a vast number of systems to remote attacks if their CUPS services are enabled.FoomaticRIPCommandLine
via a PPD file will be executed as a user controlled command. When combined with other logic bugs as described in CVE_2024-47176, this can lead to remote command execution.Impact
For products with Nonein the Versions known to be vulnerable column, there is no impact.
For products with ****** in the various columns, F5 is still researching the issue and will update this article after confirming the required information. F5 Support has no additional information about this issue.
Vendor | Product | Version | CPE |
---|---|---|---|
f5 | big-ip_next_central_manager | 20.2.0 | cpe:2.3:a:f5:big-ip_next_central_manager:20.2.0:*:*:*:*:*:*:* |
f5 | big-ip_next_central_manager | 20.2.1 | cpe:2.3:a:f5:big-ip_next_central_manager:20.2.1:*:*:*:*:*:*:* |
f5 | big-ip_next | 1.1.0 | cpe:2.3:a:f5:big-ip_next:1.1.0:*:*:*:*:*:*:* |
f5 | big-ip_next | 1.1.1 | cpe:2.3:a:f5:big-ip_next:1.1.1:*:*:*:*:*:*:* |
f5 | big-ip_next | 1.2.0 | cpe:2.3:a:f5:big-ip_next:1.2.0:*:*:*:*:*:*:* |
f5 | big-ip_next | 1.2.1 | cpe:2.3:a:f5:big-ip_next:1.2.1:*:*:*:*:*:*:* |
f5 | big-ip_next | 1.3.0 | cpe:2.3:a:f5:big-ip_next:1.3.0:*:*:*:*:*:*:* |
f5 | big-ip_next | 1.3.1 | cpe:2.3:a:f5:big-ip_next:1.3.1:*:*:*:*:*:*:* |
f5 | big-ip_dns | 1.1.0 | cpe:2.3:a:f5:big-ip_dns:1.1.0:*:*:*:*:*:*:* |
f5 | big-ip_dns | 1.1.1 | cpe:2.3:a:f5:big-ip_dns:1.1.1:*:*:*:*:*:*:* |