Details of several critical Linux vulnerabilities that the security community has been awaiting have landed – they involve bugs in CUPS, the Common UNIX Printing System. All versions of Red Hat Enterprise Linux (RHEL) are among the Linux distributions affected, but not in default configuration.
Detail on other impacted distributions continues to land, but default exposure does not appear to be likely and risk moderate as a result.
The vulnerabilities (four identified and allocated CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177, with more to follow) were identified by security researcher Simone Margaritelli, who first posted about them vociferously on X on September 23.
Margaritelli suggested that up to 300,000 endpoints appear to be publicly exposed to pre-authentication remote code execution exploitation. (Security researchers suggested that the majority of these are likely to be Linux-based desktops, not servers.)
The vulnerability details were leaked this evening by Michael R Sweet, the creator of CUPS, the de-facto standard printing system for Linux, macOS, and UNIX systems via a bug fix on GitHub; apparently breaking plans for coordinated disclosure on September 30, then a public blog on October 6.