The CUPS printing system has been found to have a vulnerability that allows cyber attackers with network access to inject and execute malicious code on the service. To remedy this issue, an updated version of the cups-filter package has been suggested as a solution, with a number of Linux distributions already shipping the updated packages.
The vulnerability arises when a printer is created with the Backend Error Handler (beh), which is responsible for improving CUPS error handling. The beh prevents the printer queue from being deactivated, even in situations where there is a communication error between the printer and CUPS backend. This can create potential risk for users with access rights to the printer, which is generally held by all users in the local network.
The vulnerability allows for the injection and execution of malicious code, and can be classified as a high-risk security issue with a CVSS score of 8.8. The cause of the vulnerability is said to be insufficient filtering of parameters passed to the OS.
To rectify the issue, CUPS users are advised to update their software to the latest version of the cups-filter package. If this is not possible, access to such print servers should be restricted. Debian and Fedora have already shipped updated cups-filter packages, with other distributions expected to follow suit shortly.
Given the potential risks associated with this vulnerability, IT managers should take a proactive approach. System software management should be initiated to search for updates, and the updated packages should be installed once they are available. This will help to minimize risks associated with the CUPS printing system and protect against unauthorized access.
