Frequently asked questions about multiple vulnerabilities in the Common UNIX Printing System (CUPS) that were disclosed as zero-days on September 26.
Background
The Tenable Security Response Team (SRT) has compiled this blog to answer Frequently Asked Questions (FAQ) regarding a series of vulnerabilities in the Common UNIX Printing System (CUPS). We will update this blog as more information becomes available.
FAQ
What is CUPS? Common UNIX Printing System (CUPS) is an open-source printing system for Linux and other UNIX-like operating systems. CUPS uses the IPP (Internet Printing Protocol) to allow for printing with local and network printers. What are the vulnerabilities associated with the recent CUPS disclosure? As of September 26, the following four CVE identifiers were assigned for vulnerabilities related to CUPS:
| CVE | Description | Affected Component | CVSSv3* |
|---|---|---|---|
| CVE-2024-47076 | libscupsfilters Improper Input Validation or Sanitization Vulnerability | libcupsfilters | 8.6 |
| CVE-2024-47175 | libppd Improper Input Validation or Sanitization Vulnerability | libppd | 8.6 |
| CVE-2024-47176 | cups-browsed Binding to an Unrestricted IP Address Vulnerability | cups-browsed | 8.4 |
| CVE-2024-47177 | cups-filters Command Injection Vulnerability | cups-filters | 9.1 |
*These CVSSv3 scores are current as of September 26.. What are CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177? CVE-2024-47076 is a flaw in the libcupsfilters library in which IPP packets are not validated or sanitized. This provides the attacker the ability to send malicious data to the CUPS system. CVE-2024-47175 affects the libppd library and is an input validation issue. IPP data is not properly validated or sanitized before being written to a temporary PostScript Printer Description (PPD) file. This can result in an attacker injecting malicious data into the PPD file. CVE-2024-47176 was assigned to a bug affecting the cups-browsed library. According to the blog post from Simone Margaritelli, the package allows any packet from any source to be trusted on the IPP port (default 631). Because of this, an attacker could send a crafted packet that would trigger a Get-Printer-Attributes IPP request, which would then reach out to an attacker controller URL. CVE-2024-47177 impacts the cups-filters library and could allow an attacker to execute arbitrary commands using “via the FoomaticRIPCommandLine PPD parameter.” The combination of these vulnerabilities could result in an attacker crafting a fake printer, thereby allowing them to execute arbitrary code whenever a print job has been started by the impacted host. How severe are these vulnerabilities? While there has been a lot of attention given to these vulnerabilities prior to disclosure, based on what has been disclosed as of September 26, these flaws are not at the level of something like Log4Shell or Heartbleed. We encourage organizations not to panic about these flaws as most attackers continue to exploit known vulnerabilities in internet facing assets. When were these vulnerabilities first disclosed? On September 23, Simone Margaritelli posted on X (formerly Twitter) that he recently reported a critical severity, CVSSv3 9.9 unauthenticated remote code execution (RCE) vulnerability that affects “all GNU/Linux systems” to Canonical, Red Hat and others. According to Margaritelli, disclosure and coordination with multiple Linux vendors was not a smooth process. Over the next several days, Margaritelli provided additional details about the disclosure woes and several media outlets began publishing warnings over this critical vulnerability.
* Unauthenticated RCE vs all GNU/Linux systems (plus others) disclosed 3 weeks ago.
* Full disclosure happening in less than 2 weeks (as agreed with devs).
* Still no CVE assigned (there should be at least 3, possibly 4, ideally 6).
* Still no working fix.
* Canonical, RedHat and”¦ pic.twitter.com/N2d1rm2VeR, Simone Margaritelli (@evilsocket) September 23, 2024 On September 26, Margaritelli posted on X that full disclosure would be happening at 20:00 UTC despite the early posts suggesting that full disclosure would be withheld until early October.Full disclosure happening at 20:00 UTC today, in a bit more than 2 hours., Simone Margaritelli (@evilsocket) September 26, 2024 Were these exploited as zero-days? No. There is currently no evidence that these vulnerabilities have been exploited in the wild as zero-days prior to disclosure on September 26. Is there a proof-of-concept (PoC) available for these vulnerabilities? A proof-of-concept (PoC) developed by Margaritelli is included in the GitHub advisory for CVE-2024-47176.. Additionally, a PoC has been published on GitHub based on a commit in the OpenPrinting CUPS repository. Are patches or mitigations available? Due to the early public disclosure, there are currently no patches available for the four vulnerabilities disclosed on September 26. However, to mitigate these flaws until the patches are available, it is advised to disable and remove cups-browsed from vulnerable systems. Additionally, CUPS is set to listen on UDP port 631, so it is advised to block all traffic to UDP port 631. A security bulletin published by Red Hat highlights mitigations for high availability and non-high availability scenarios, the latter essentially stopping and disabling the cups-browsed service. In high availability scenarios they advised changing the BrowseRemoteProtocols directive values from default “dnssd cups” to “none.” How many internet facing assets are potentially impacted by these vulnerabilities? CUPS is not installed by default with many *nix distributions. In many distributions, the default configuration should limit the ability to access the default port. As of September 26, a search on Shodan.io showed just over 75,000 internet-accessible hosts running CUPS. A search on the FOFA Search Engine returned over 270,000 unique IP addresses with nearly 70,000 linked specifically to IPP. Based on these findings, there are a significant number of hosts that do appear to be internet-accessible with a majority of the results using the default port, 631.
Source: Shodan.io
Source: FOFA Has Tenable released any product coverage for these vulnerabilities? A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages as they’re released: CVE-2024-47076 CVE-2024-47175 CVE-2024-47176 CVE-2024-47177 This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
Get more information
Blog: Attacking UNIX Systems via CUPS, Part I GitHub Advisory for CVE-2024-47076 in libcupsfilters GitHub Advisory for CVE-2024-47175 in libppd GitHub Advisory for CVE-2024-47176 in cups-browsed GitHub Advisory for CVE-2024-47177 in cups-filters GitHub: Leaked CUPS disclosure prior to publication Join Tenable’s Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
First seen on securityboulevard.com
