On September 26, 2024, a security researcher disclosed several vulnerabilities affecting Common UNIX Printing System (CUPS) within GNU/Linux distributions. CUPS is an open-source printing system that allows Unix-like operating systems, including Linux and MacOS, to manage printers and print jobs across local and networked environments.
The newly identified CUPS vulnerabilities identified are:
- CVE-2024-47176: In CUPS-browsed versions up to 2.0.1, the service binds to UDP port 631 on all network interfaces, allowing any packet from any source to trigger a Get-Printer-Attributes IPP request to a URL controlled by an attacker.
- CVE-2024-47076: In libcupsfilters versions up to 2.1b1, the function cfGetPrinterAttributes5 fails to validate or sanitize IPP attributes returned from an IPP server, allowing attacker-controlled data to be passed through the rest of the CUPS system.
- CVE-2024-47175: In libppd versions up to 2.1b1, the function ppdCreatePPDFromIPP2 does not validate or sanitize IPP attributes when writing them to a temporary PPD file, allowing attacker-controlled data to be injected into the resulting PPD.
- CVE-2024-47177: In cups-filters versions up to 2.0.1, the foomatic-rip utility allows arbitrary command execution through the FoomaticRIPCommandLine PPD parameter, enabling an attacker to run commands.
While the vulnerabilities had been responsibly disclosed to vendors and software maintainers, some details of the vulnerabilities were made public prior to the originally planned embargo period ending on October 6, 2024, prompting the security researcher that had discovered the vulnerabilities to release technical details of the vulnerabilities early in a blog post.
Note: This is a developing situation, and the full scope of the vulnerabilities are still being identified across the ecosystem of products and services that rely on CUPS.
Low Risk of Initial Access Exploitation
The CUPS daemon provides a means of printers being discoverable on a network on port 631. However, it is generally recognized that exposing this service on the public internet is a poor security practice, and is therefore strongly discouraged.
Given that it is not a common configuration to host CUPS services on the public internet, Arctic Wolf assesses that the risk of initial access exploitation due to these vulnerabilities is likely to be low. Out of an abundance of caution, however, we are reviewing all available telemetry and notifying customers if we identify any activity suggestive of exploitation.
Local Area Network Exploitation
Considering that CUPS is most commonly used for printer discovery within local area networks, the most plausible scenario for exploitation would involve lateral movement by a threat actor that already has access to a network that has affected services running within it.
Although the initial vulnerabilities were reported to Linux software maintainers, other operating systems may also be affected since CUPS has been packaged for use in different contexts. This may include:
- Most Linux distributions
- MacOS
- BSD distributions (e.g., FreeBSD)
- ChromeOS
- Oracle Solaris
- Network printers
- Print management solutions
Arctic Wolf will monitor for new developments related to these vulnerabilities, and will keep customers informed as new information becomes available.
Recommendations
Recommendation #1: Closely Monitor Vendor Advisories for Updated CUPS Packages
Individual Linux distributions are still working on preparing advisories and patched packages. We strongly recommend monitoring Linux distribution advisories for security updates that remediate the CUPS service vulnerabilities and to apply the corresponding security updates promptly.
Please follow your organization’s patching and testing guidelines to avoid any operational impact.
Recommendation #2: Consider Blocking Port 631 Outbound at the Firewall
It is considered a poor security practice to allow CUPS to be exposed publicly on the internet. Vulnerable CUPS services should be prevented from initiating and establishing outbound connections at the Firewall level until an official security patch has been applied if this service needs to communicate with devices outside your organization’s LAN.
Note: Each firewall will have a different process for how to configure this type of rule. Please refer to the documentation provided by your firewall vendor.
Recommendation #3: Disable the cups-browsed Service Where Possible
If the cups-browsed service is not needed for business operations, disable the service on individual hosts to reduce your organization’s attack surface.
Note: Disabling the service will be distribution specific; monitor for advisories for each affected OS accordingly.
Recommendation #4: Identify Prevalence of Devices Listening on Port 631 and Plan Remediation Accordingly
Create an inventory of local assets listening on port 631 to determine potential CUPS services running within your environment. This process can be facilitated with inventory and orchestration tools your organization may use, such as LanSweeper, SCCM, Tanium, CrowdStrike, etc.
This can be conducted via the ss command line on individual Linux devices. Some distributions may require this command to be installed through distribution-specific packages (e.g., iproute2).
sudo ss -lu | grep ‘:631’
Once a list of potentially vulnerable assets are identified, create a remediation plan to patch in accordance with the vendor of each identified asset. Alternatively, consider disabling the affected services if they are not needed in that context.
References
Stay up to date with the latest security incidents and trends from Arctic Wolf Labs.
Explore the latest global threats with the 2024 Arctic Wolf Labs Threats Report.
