Full Report
Detect and mitigate CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177 vulnerabilities impacting CUPS and IPP packages.
Analysis Summary
# Vulnerability: CUPS/IPP Arbitrary Command Execution via Malicious Printer Configuration
## CVE Details
- CVE ID: Addresses CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177
- CVSS Score: 8.0 - 9.0 (High)
- CWE: Not explicitly listed, but related to improper handling of configuration/protocol interaction leading to RCE.
## Affected Systems
- Products: `cups-browsed`, `libcupsfilters`, `libppd`, `cups-filters`
- Versions:
- `cups-browsed`: Versions up to and including 2.0.1
- `libcupsfilters`: Versions up to and including 2.1b1
- `libppd`: Versions up to and including 2.1b1
- `cups-filters`: Versions up to and including 2.0.1
- Configurations: Systems where UDP port 631 is exposed, making them reachable via the network or LAN, and where the Print Server (CUPS) is actively listening or browsing for printers.
## Vulnerability Description
A remote, unauthenticated attacker can exploit these vulnerabilities to achieve arbitrary command execution on the vulnerable system. The attack vector involves sending a malicious UDP packet (or spoofing DNS advertisements on LANs) to port 631. This allows the attacker to replace existing printer configurations or add new ones pointing to an attacker-controlled system. When a print job is initiated from the affected system to this malicious printer, arbitrary commands configured by the attacker will be executed, typically running under the unprivileged `lp` user context.
## Exploitation
- Status: No successful exploitation in the wild reported as of Sept 29, 2024. Scanning activity on port 631 has been observed.
- Complexity: Low (due to requirement of exposing UDP 631 or network-level DNS spoofing, but the remote unauthenticated setup is simple).
- Attack Vector: Network (requires UDP 631 exposure or local LAN/DNS snooping).
## Impact
- Confidentiality: High (If commands executed allow file access or credential theft)
- Integrity: High (Arbitrary command execution)
- Availability: High (Potential for system disruption via executed commands)
## Remediation
### Patches
Patches are released by various vendors (e.g., RedHat, Ubuntu). Users should consult their specific distribution/vendor advisories for exact patched versions.
### Workarounds
1. **Block Port 631:** Avoid exposing UDP port 631 externally and ensure it is not open unnecessarily.
2. **Disable Browsing:** Stop or disable the `cups-browsed` service.
3. **Configure `cups-browsed`:** If CUPS support is required:
* Edit `/etc/cups/cups-browsed.conf`.
* Find `BrowseRemoteProtocols`.
* Change the setting to only `dnssd` (remove `cups` from the list, as `dnssd cups` is often the vulnerable default).
* Restart the service: `sudo systemctl restart cups-browsed`.
## Detection
- Indicators of Compromise: Elevated connections or suspicious activity originating from the CUPS service user (`lp`) executing non-printing related commands. Observation of UDP communication on port 631 being initiated externally (scanning activity noted from IP ranges observed).
- Detection Methods and Tools: Monitoring UDP traffic on port 631. Using vulnerability scanners configured to check for vulnerable versions of CUPS, `cups-browsed`, and related libraries. Wiz customers can use the pre-built query in the Wiz Threat Center.
## References
- Vulnerability writeup by evilsocket: hxxps://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/
- RedHat response: hxxps://www.redhat.com/en/blog/red-hat-response-openprinting-cups-vulnerabilities
- Ubuntu advisory: hxxps://ubuntu.com/blog/cups-remote-code-execution-vulnerability-fix-available
- GHSA for cups-browsed: hxxps://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8
- GHSA for cups-filters: hxxps://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47
- GHSA for libcupsfilters: hxxps://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5
- GHSA for libppd: hxxps://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6