A serious vulnerability was discovered in CUPS at the end of last week. Can CUPS be uninstalled on FreePBX without impact? If not, what would be impacted if it was removed?
“multiple bugs in cups-browsed can be exploited in sequence to introduce a malicious printer to the system. This chain of exploits ultimately enables an attacker to execute arbitrary commands remotely on the target machine without authentication when a print job is started. This poses a significant security risk over the network. Notably, this vulnerability is particularly concerning as it can be exploited from the public internet, potentially exposing a vast number of systems to remote attacks if their CUPS services are enabled.”
It must be installed by the FreePBX 17 installer script though. I just ran another installation of Debian following the instructions here, it doesn’t show cups installed.
If I look at one of my FreePBX 17 installs, it’s showing the cups library.
root@HOSTNAME:~# apt list --installed | grep cup
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
libcups2/now 2.4.2-3+deb12u5 amd64 [installed,upgradable to: 2.4.2-3+deb12u7]
Can somebody tell me what it’s used for?
I realize that the service isn’t running, but I would like to remove any software that I can if I’m not using it. If it’s used by a module that I’ve uninstalled, I can remove it.
A lot of things depend on it, including libgtk*. I suspect you cant have a standard Debian GUI without it. I suspect most things that display a print dialogue use it to some extent.
I opened a ticket with our vulnerability software vendor to see if the detection of the CUPS vulnerability on our PBXes is a false positive. From what I’m reading here, I suspect that it is. We aren’t using fax, so it might be a good idea for us to remove libcups2 and ghostscript as well.
Thank you for the information as to what this is used for. It will help us harden our PBXes against future vulnerabilities.