- An attacker can exploit this vulnerability if it can connect to the host via UDP port 631, which is by default bound to INADDR_ANY, in which case the attack can be entirely remote, or if it's on the same network of the target, by using mDNS advertisements.
What does an attacker gain by exploiting this vulnerability?
- Remote execution of arbitrary commands when a print job is sent to the system printer.
How was the vulnerability discovered?
- A lot of curiosity (when I noticed the \*:631 UDP bind I was like "wtf is this?!" and went down a rabbit hole ...) and good old source code auditing.
Is this vulnerability publicly known?
- No, the bugs are not known and the FoomaticRIPCommandLine vulnerability is known to be already patched (it isn't).
Is there evidence that this vulnerability is being actively exploited?
Original report
Affected Vendor:
Affected Product Affected Version Significant ICS/OT impact? Reporter Vendor contacted? - https://github.com/OpenPrinting/cups-browsed/security/adviso...- https://github.com/OpenPrinting/libcupsfilters/security/advi...
- https://github.com/OpenPrinting/libppd/security/advisories/G...
- https://github.com/OpenPrinting/cups-filters/security/adviso...
I'm also in contact with the Canonical security team about these issues.
Description
[https://pkgs.org/download/cups-browsed]Google ChromeOS:
https://chromium.googlesource.com/chromiumos/overlays/chromi...
Most BSDs:
https://man.freebsd.org/cgi/man.cgi?query=cups-browsed.conf&...
And possibly more.
<snip>