CUPS Serious Vulnerability - What is CUPS used for on FreePBX?

A serious vulnerability was discovered in CUPS at the end of last week. Can CUPS be uninstalled on FreePBX without impact? If not, what would be impacted if it was removed?

CVE-2024-47176 (debian.org)

From the article:

“multiple bugs in cups-browsed can be exploited in sequence to introduce a malicious printer to the system. This chain of exploits ultimately enables an attacker to execute arbitrary commands remotely on the target machine without authentication when a print job is started. This poses a significant security risk over the network. Notably, this vulnerability is particularly concerning as it can be exploited from the public internet, potentially exposing a vast number of systems to remote attacks if their CUPS services are enabled.”

cups daemon does not appear to be running by default on Sangoma distro (FreePBX 16) or Debian 12 (FreePBX 17).

1 Like

It must be installed by the FreePBX 17 installer script though. I just ran another installation of Debian following the instructions here, it doesn’t show cups installed.

Step By Step Debian 12 Installation - FreePBX Open Source - Sangoma Documentation (atlassian.net)

If I look at one of my FreePBX 17 installs, it’s showing the cups library.

root@HOSTNAME:~# apt list --installed | grep cup
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
libcups2/now 2.4.2-3+deb12u5 amd64 [installed,upgradable to: 2.4.2-3+deb12u7]

Can somebody tell me what it’s used for?

I realize that the service isn’t running, but I would like to remove any software that I can if I’m not using it. If it’s used by a module that I’ve uninstalled, I can remove it.

This is not the vulnerable package.

A lot of things depend on it, including libgtk*. I suspect you cant have a standard Debian GUI without it. I suspect most things that display a print dialogue use it to some extent.

The FreePBX installer script installs ghostscript and it looks like that is what has the libcups2 dependency.

You can probably apt remove libcups2, which will subsequently remove ghostscript, if you are not using fax.

The following packages will be REMOVED:
  ghostscript libcups2 libgs10

However, I think david55 is correct…

I opened a ticket with our vulnerability software vendor to see if the detection of the CUPS vulnerability on our PBXes is a false positive. From what I’m reading here, I suspect that it is. We aren’t using fax, so it might be a good idea for us to remove libcups2 and ghostscript as well.

Thank you for the information as to what this is used for. It will help us harden our PBXes against future vulnerabilities.

do you indiscriminately allow TCP/631 through your firewall ?