CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177: Frequently Asked Questions About Common UNIX Printing System (CUPS) Vulnerabilities
Frequently asked questions about multiple vulnerabilities in the Common UNIX Printing System (CUPS) that were disclosed as zero-days on September 26.
Update September 27: The blog has been updated to include information about in-the-wild exploitation attempts, information on detecting external assets using Tenable Attack Surface Management and the upcoming availability of a remote direct check plugin.
BackgroundThe Tenable Security Response Team (SRT) has compiled this blog to answer Frequently Asked Questions (FAQ) regarding a series of vulnerabilities in the Common UNIX Printing System (CUPS). We will update this blog as more information becomes available.
FAQWhat is CUPS?
Common UNIX Printing System (CUPS) is an open-source printing system for Linux and other UNIX-like operating systems. CUPS uses the IPP (Internet Printing Protocol) to allow for printing with local and network printers.
What are the vulnerabilities associated with the recent CUPS disclosure?
As of September 26, the following four CVE identifiers were assigned for vulnerabilities related to CUPS:
CVEDescriptionAffected ComponentCVSSv3*CVE-2024-47076libscupsfilters Improper Input Validation or Sanitization Vulnerabilitylibcupsfilters8.6CVE-2024-47175libppd Improper Input Validation or Sanitization Vulnerabilitylibppd8.6CVE-2024-47176cups-browsed Binding to an Unrestricted IP Address Vulnerabilitycups-browsed8.4CVE-2024-47177cups-filters Command Injection Vulnerabilitycups-filters9.1*These CVSSv3 scores are current as of September 26..
What are CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177?
CVE-2024-47076 is a flaw in the libcupsfilters library in which IPP packets are not validated or sanitized. This provides the attacker the ability to send malicious data to the CUPS system.
CVE-2024-47175 affects the libppd library and is an input validation issue. IPP data is not properly validated or sanitized before being written to a temporary PostScript Printer Description (PPD) file. This can result in an attacker injecting malicious data into the PPD file.
CVE-2024-47176 was assigned to a bug affecting the cups-browsed library. According to the blog post from Simone Margaritelli, the package allows any packet from any source to be trusted on the IPP port (default 631). Because of this, an attacker could send a crafted packet that would trigger a Get-Printer-Attributes IPP request, which would then reach out to an attacker controller URL.
CVE-2024-47177 impacts the cups-filters library and could allow an attacker to execute arbitrary commands using “via the FoomaticRIPCommandLine PPD parameter.”
The combination of these vulnerabilities could result in an attacker crafting a fake printer, thereby allowing them to execute arbitrary code whenever a print job has been started by the impacted host.
How severe are these vulnerabilities?
While there has been a lot of attention given to these vulnerabilities prior to disclosure, based on what has been disclosed as of September 26, these flaws are not at the level of something like Log4Shell or Heartbleed. We encourage organizations not to panic about these flaws as most attackers continue to exploit known vulnerabilities in internet facing assets.
When were these vulnerabilities first disclosed?
On September 23, Simone Margaritelli posted on X (formerly Twitter) that he recently reported a critical severity, CVSSv3 9.9 unauthenticated remote code execution (RCE) vulnerability that affects “all GNU/Linux systems” to Canonical, Red Hat and others. According to Margaritelli, disclosure and coordination with multiple Linux vendors was not a smooth process. Over the next several days, Margaritelli provided additional details about the disclosure woes and several media outlets began publishing warnings over this critical vulnerability.
* Unauthenticated RCE vs all GNU/Linux systems (plus others) disclosed 3 weeks ago.
* Full disclosure happening in less than 2 weeks (as agreed with devs).
* Still no CVE assigned (there should be at least 3, possibly 4, ideally 6).
* Still no working fix.
* Canonical, RedHat and… pic.twitter.com/N2d1rm2VeR
— Simone Margaritelli (@evilsocket) September 23, 2024
On September 26, Margaritelli posted on X that full disclosure would be happening at 20:00 UTC despite the early posts suggesting that full disclosure would be withheld until early October.
Full disclosure happening at 20:00 UTC today, in a bit more than 2 hours.
— Simone Margaritelli (@evilsocket) September 26, 2024
Were these exploited as zero-days?
No. There is currently no evidence that these vulnerabilities have been exploited in the wild as zero-days prior to disclosure on September 26.
Were these exploited after the public disclosure?
Yes. According to researchers at Datadog Security Labs, opportunistic scanning was detected for vulnerable systems in the “first hours following disclosure” which included exploitation attempts to install a malicious printer on a targeted system.
Is there a proof-of-concept (PoC) available for these vulnerabilities?
A proof-of-concept (PoC) developed by Margaritelli is included in the GitHub advisory for CVE-2024-47176. Additionally, a PoC has been published on GitHub based on a commit in the OpenPrinting CUPS repository.
Are patches or mitigations available?
Due to the early public disclosure, there are currently no patches available for the four vulnerabilities disclosed on September 26. However, to mitigate these flaws until the patches are available, it is advised to disable and remove cups-browsed from vulnerable systems. Additionally, CUPS is set to listen on UDP port 631, so it is advised to block all traffic to UDP port 631.
A security bulletin published by Red Hat highlights mitigations for high availability and non-high availability scenarios, the latter essentially stopping and disabling the cups-browsed service. In high availability scenarios they advised changing the BrowseRemoteProtocols directive values from default “dnssd cups” to “none.”
How many internet facing assets are potentially impacted by these vulnerabilities?
CUPS is not installed by default with many *nix distributions. In many distributions, the default configuration should limit the ability to access the default port.
As of September 26, a search on Shodan.io showed just over 75,000 internet-accessible hosts running CUPS. A search on the FOFA Search Engine returned over 270,000 unique IP addresses with nearly 70,000 linked specifically to IPP. Based on these findings, there are a significant number of hosts that do appear to be internet-accessible with a majority of the results using the default port, 631.
Source: Shodan.io
Source: FOFA
How can I detect if any of my external assets have the CUPS service running?
Tenable Attack Surface Management is able to detect various versions of the CUPS service running on internet connected assets. With robust filtering, this allows precise identification of these affected assets.
Has Tenable released any product coverage for these vulnerabilities?
A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages as they’re released:
This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
Additionally, a remote direct check for CVE-2024-47176 has been developed and will be available soon.
Get more information- Blog: Attacking UNIX Systems via CUPS, Part I
- GitHub Advisory for CVE-2024-47076 in libcupsfilters
- GitHub Advisory for CVE-2024-47175 in libppd
- GitHub Advisory for CVE-2024-47176 in cups-browsed
- GitHub Advisory for CVE-2024-47177 in cups-filters
- GitHub: Leaked CUPS disclosure prior to publication
Update September 27: The blog has been updated to include information about in-the-wild exploitation attempts, information on detecting external assets using Tenable Attack Surface Management and the upcoming availability of a remote direct check plugin.
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.