The CUPS printing system is affected by a vulnerability that allows attackers with network access to the printing service to inject and execute malicious code. An updated version of the cups-filterpackage should fix the problem. Several Linux distributions are already shipping updated packages.
CUPS: high-risk vulnerability
As a rule, all users in the local network have these access rights, which are necessary for an attack. The cups-filter-Package contains backends, filters and other software needed to run CUPS on systems other than macOS, explains the bug report. If a printer that should be accessible from the network is created with the backend error handler (beh), this opens the vulnerability (CVE-2023-24805, CVSS 8.8risk “high“).
The cause is insufficient filtering of parameters passed to the operating system. CUPS users should therefore update the software. If this is not yet possible, you should restrict access to such print servers.
The Backend Error Handler (beh) is designed to improve CUPS error handling. In the Linux Foundation Wiki describes one author reports that after a communication error between the printer and the CUPS backend, the printer queue is normally deactivated. This happens, for example, when users send a print job but the printer is still switched off – a rather common problem in the home. The users don’t see any feedback, only persistently non-functioning printers. Only an administrator can reactivate the printer queue, restarts, for example, do not help. The backend error handler can prevent this by simply not deactivating the printer queue.
Debian and Fedora already ship updated ones cups-filterpackages. Other distributions are expected to follow shortly. IT managers should start the system’s software management, search for the updates and have them installed.
(dmk)