[CITL] Intent to block UDP port 631 traffic from Internet

Jonathan Ocab jonathan.ocab at ucr.edu
Fri Sep 27 14:02:33 PDT 2024 

*The Information Security Office is planning to block traffic inbound to
the campus from the Internet over UDP and destined to port 631 and is
requesting your partnership in identifying any potential adverse impact.*

Port 631 is used by CUPS, sometimes referred to as Common UNIX Printing
System. CUPS is often installed on a UNIX-like system including Linux,
MacOS, and FreeBSD to facilitate printing.

Hosts should only be listening on port 631 if they are acting as a print
server or sharing a printer for others to use.

Four (4) new vulnerabilities related to CUPS have been made public:

*CVE-2024-47176 | cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631
trusting any packet from any source to trigger a Get-Printer-Attributes IPP
request to an attacker controlled URL.*
*CVE-2024-47076 | libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not
validate or sanitize the IPP attributes returned from an IPP server,
providing attacker controlled data to the rest of the CUPS system.*
*CVE-2024-47175 | libppd <= 2.1b1 ppdCreatePPDFromIPP2 does not validate or
sanitize the IPP attributes when writing them to a temporary PPD file,
allowing the injection of attacker controlled data in the resulting PPD.*
*CVE-2024-47177 | cups-filters <= 2.0.1 foomatic-rip allows arbitrary
command execution via the FoomaticRIPCommandLine PPD parameter.*


These vulnerabilities can allow an attacker to execute remote code/commands
on affected hosts.

Due to the wide array of hosts that may be running affected versions of
CUPS without proper configuration or security measures, the Information
Security Office is working with ITS Network Engineering and Operations *to
block UDP traffic from the Internet destined to UCR hosts on port 631*.

This will not affect users on-campus from using networked printers.

If anyone in CITL knows of any adverse impact this action would have on
their units, please send me your feedback directly - jonathan.ocab at ucr.edu.

Thank you.

---
Jonathan Ocab | jonathan.ocab at ucr.edu
Manager, Information Security Operations
Information Security Office
University of California, Riverside
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ucr.edu/pipermail/citl/attachments/20240927/3a55af7d/attachment.html>

More information about the CITL mailing list