The security researcher Simone Margaritelli (evilsocket), disclosed details of several vulnerabilities impacting CUPS and IPP packages: CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. These vulnerabilities are unlikely to be exploited in most cloud environments due to their requirements for exposing UDP port 631 and needing the victim to attempt a print request as part of the currently disclosed exploitation method.
The vulnerabilities received CVSS base scores ranging from 8.0 to 9.0. It is recommended to mitigate these vulnerabilities and apply patches.
What are these vulnerabilities?
A remote, unauthenticated attacker can replace existing printers with a malicious one or add a new printer under their control, leading to arbitrary command execution when a print job is initiated from the affected system. The attack begins by sending a UDP packet to port 631, or in local LANs, attackers may spoof DNS advertisements. On vulnerable systems, the attacker can exploit this to replace or install a printer configuration on the victim's system that points to the attacker’s system. As part of the print service, an installed printer has the ability to execute arbitrary commands on the requesting system when a print request is made to it. In the most common scenarios the commands are run by the `lp` user, which is unprivileged.
Wiz Research data: what’s the risk to cloud environments?
According to Wiz data, 83% of cloud environments have at least one instance of the affected packages in the vulnerable version ranges. However, considering the current known exploitation method, we estimate that cloud environments are highly unlikely to be exploited remotely, since printing devices are rarely used in the cloud, and UDP port 631 is rarely open.
What sort of exploitation has been identified in the wild?
While no successful exploitation has been reported in the wild as of today, September 29, 2024, Wiz Threat Research has observed the following IPs attempting UDP communication through port 631, most likely scanning this port for malicious purposes or as part of security research -
194.113.74[.]187
195.228.75[.]121
107.170.78[.]108
107.170.72[.]202
172.234.96[.]249
192.34.63[.]88
143.244.47[.]70
104.152.52[.]220 195.228.75[.]121, 143.244.47[.]70, 172.234.96[.]249 and 172.234.96[.]249 have also been observed by DataDog.
Which products are affected?
The following table lists the vulnerabilities and their impacted products:
| CVE | Package | Impacted versions |
|---|---|---|
| CVE-2024-47176 | cups-browsed | Versions up to and including 2.0.1 |
| CVE-2024-47076 | libcupsfilters | Versions up to and including 2.1b1 |
| CVE-2024-47175 | libppd | Versions up to and including 2.1b1 |
| CVE-2024-47177 | cups-filters | Versions up to and including 2.0.1 |
Which actions should security teams take?
Few vendors released patches, it is also possible to apply these mitigations:
Avoid exposing UDP port 631 and stop/disable
cups-browsed.If CUPS support is required, you can apply this mitigation:
Edit
/etc/cups/cups-browsed.confSearch for the
BrowseRemoteProtocolsconfiguration optionSet the option to
dnssd(the default value isdnssd cups, removecups)Restart
cups-browsedusingsudo systemctl restart cups-browsed
Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment.
