CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177: Everything you need to know

Detect and mitigate CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177 vulnerabilities impacting CUPS and IPP packages.

2 minutes read

The security researcher Simone Margaritelli (evilsocket), disclosed details of several vulnerabilities impacting CUPS and IPP packages: CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. These vulnerabilities are unlikely to be exploited in most cloud environments due to their requirements for exposing UDP port 631 and needing the victim to attempt a print request as part of the currently disclosed exploitation method. 

The vulnerabilities received CVSS base scores ranging from 8.0 to 9.0. It is recommended to mitigate these vulnerabilities and apply patches. 

What are these vulnerabilities? 

A remote, unauthenticated attacker can replace existing printers with a malicious one or add a new printer under their control, leading to arbitrary command execution when a print job is initiated from the affected system. The attack begins by sending a UDP packet to port 631, or in local LANs, attackers may spoof DNS advertisements. On vulnerable systems, the attacker can exploit this to replace or install a printer configuration on the victim's system that points to the attacker’s system. As part of the print service, an installed printer has the ability to execute arbitrary commands on the requesting system when a print request is made to it. In the most common scenarios the commands are run by the `lp` user, which is unprivileged.  

Wiz Research data: what’s the risk to cloud environments?       

According to Wiz data, 83% of cloud environments have at least one instance of the affected packages in the vulnerable version ranges. However, considering the current known exploitation method, we estimate that cloud environments are highly unlikely to be exploited remotely, since printing devices are rarely used in the cloud, and UDP port 631 is rarely open. 

What sort of exploitation has been identified in the wild?  

While no successful exploitation has been reported in the wild as of today, September 29, 2024, Wiz Threat Research has observed the following IPs attempting UDP communication through port 631, most likely scanning this port for malicious purposes or as part of security research -  

194.113.74[.]187 
195.228.75[.]121 
107.170.78[.]108 
107.170.72[.]202 
172.234.96[.]249 
192.34.63[.]88 
143.244.47[.]70 
104.152.52[.]220 

195.228.75[.]121, 143.244.47[.]70, 172.234.96[.]249 and 172.234.96[.]249 have also been observed by DataDog.  

Which products are affected? 

The following table lists the vulnerabilities and their impacted products: 

CVEPackageImpacted versions
CVE-2024-47176cups-browsedVersions up to and including 2.0.1
CVE-2024-47076libcupsfiltersVersions up to and including 2.1b1
CVE-2024-47175libppdVersions up to and including 2.1b1
CVE-2024-47177cups-filtersVersions up to and including 2.0.1

Which actions should security teams take? 

Few vendors released patches, it is also possible to apply these mitigations: 

  • Avoid exposing UDP port 631 and stop/disable cups-browsed

  • If CUPS support is required, you can apply this mitigation

    • Edit /etc/cups/cups-browsed.conf

    • Search for the BrowseRemoteProtocols configuration option 

    • Set the option to dnssd (the default value is dnssd cups, remove cups

    • Restart cups-browsed using sudo systemctl restart cups-browsed 

Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment. 

References 

Continue reading

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management