Summary
On 2024-09-05, security researcher Simone Margaritelli reported a series of vulnerabilities in CUPS — Common Unix Printing System, an open source printing system for Linux and Unix operating systems — that allows a remote unauthenticated attacker to silently leverage the Internet Printing Protocol (IPP) for arbitrary command execution.
On 2024-09-26, the vulnerabilities were published on a series of CVEs: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177 affecting most UNIX systems.
At the moment (7:00 am ET, Sep 27, 2024) OS vendors and the broader Linux community are working on patches to address the issue, while recommending disabling the CUPS service to address the risk.
Affected Systems
Source: https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/
| Hosts Impacted | NOT Impacted (as of time of publishing) |
Linux and Unix based systems with:
|
Systems without cups installed Windows systems |
Impact
Remote unauthenticated attackers can silently replace existing printers’ (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer).
Steps to identify affected hosts using Axonius
1. Before beginning, run a complete discovery (highly recommended!)
Note: This will ensure you get the latest relevant snapshot of your environment.
To do so, access the Axonius Platform as an admin and click Discover Now (located in the top-right hand corner).
2. Identify potentially impacted hosts
The following queries help quickly identify systems affected. We've included more advanced queries at the end of this blog for further segmentation.
2.1 By the presence of cups or libppd and with the port 631 up
| ("specific_data.data.open_ports.port_id" == 631) and ("specific_data.data.installed_software" == match([(("name" == regex("cups", "i")) or ("name" == regex("libppd", "i")))])) |
2.2 By the presence of cups or libppd
| ("specific_data.data.installed_software" == match([(("name" == regex("cups", "i")) or ("name" == regex("libppd", "i")))])) |
2.3 By CVEs and with open ports
| ("specific_data.data.open_ports.port_id" == 631) and (("specific_data.data.software_cves.cve_id" == "CVE-2024-47176") or ("specific_data.data.software_cves.cve_id" == "CVE-2024-47076") or ("specific_data.data.software_cves.cve_id" == "CVE-2024-47175") or ("specific_data.data.software_cves.cve_id" == "CVE-2024-47177")) |
Note: To prioritize assets by criticality, complement queries above with additional filters like:
- Systems with public IP
- Systems Identified as a Crown Jewel by ServiceNow
- Systems with a production tag on specific infrastructure providers
From the results, you can export a CSV or leverage your existing automations in the Enforcement Center to mobilize your IT team.
Mitigation steps
- Disable and remove the cups-browsed service if you don’t need it
- Monitor the published CVEs for a CUPS update for your systems
- In case your system can’t be updated and for some reason you rely on this service
- Block all traffic to UDP port 631 and possibly all DNS-SD traffic
Related documentation
CUPS vulnerability:- https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I
- https://nvd.nist.gov/vuln/detail/CVE-2024-47076
- https://nvd.nist.gov/vuln/detail/CVE-2024-47175
- https://nvd.nist.gov/vuln/detail/CVE-2024-47176
- https://nvd.nist.gov/vuln/detail/CVE-2024-47177
Axonius:
Advanced queries
Systems with the presence of cups or libppd or with identified CVEs
Systems with either Installed SW or CVE ID
| () and (("specific_data.data.network_interfaces.ips_raw" == match({"$gte": 0, "$lte": 0}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 16777215, "$lte": 167772160}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 184549375, "$lte": 1681915904}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 1686110207, "$lte": 2130706432}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 2147483647, "$lte": 2851995648}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 2852061183, "$lte": 2886729728}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 2887778303, "$lte": 3221225472}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 3221225727, "$lte": 3221225984}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 3221226239, "$lte": 3227017984}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 3227018239, "$lte": 3232235520}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 3232301055, "$lte": 3323068416}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 3323199487, "$lte": 3325256704}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 3325256959, "$lte": 3405803776}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 3405804031, "$lte": 3758096384}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 4026531839, "$lte": 4026531840}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 4294967295, "$lte": 4294967295}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 4294967295, "$lte": 4294967295}))) and ("specific_data.data.firewall_rules" == match([("direction" in ["ANY","INGRESS"]) and ("type" == "Allow")])) |
All Devices with 631 open
| (("specific_data.data.installed_software" == match([(("name" == regex("cups", "i")) or ("name" == regex("libppd", "i")))])) or ("specific_data.data.software_cves.cve_id" == "CVE-2024-47176") or ("specific_data.data.software_cves.cve_id" == "CVE-2024-47076") or ("specific_data.data.software_cves.cve_id" == "CVE-2024-47175") or ("specific_data.data.software_cves.cve_id" == "CVE-2024-47177")) and ("specific_data.data.open_ports.port_id" == 631) |
